CVE-2022-31097: 0-day vulnerability in open-source analytics Grafana

CVE-2022-31097

Open and composable observability and data visualization platform Grafana received an emergency update today to fix a high-severity, zero-day vulnerability that allows an attacker to elevate privileges from Editor to Admin.

Tracked as CVE-2022-31097, the flaw received a 7.3 severity score and is still exploitable on on-premise servers that have not been updated. The weakness was caused by improper validation of user-supplied input by the Unified Alerting feature. A remote authenticated attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.

CVE-2022-31097

This flaw affects Grafana Alerting (previously referred to as Unified Alerting when it was introduced in Grafana 8.0). Grafana Alerting is activated by default in Grafana 9.0.

Details about the issue started to become public in July when Grafana Labs rolled out updates for affected versions 8.0.0- through 9.0.1.

On Nov. 25, a Grafana community member reported a stored XSS vulnerability in Grafana Alerting. On further investigation, this vulnerability is a regression of CVE-2022-31097. As this issue was raised in our public repositories, we are treating this as a 0-day and are immediately releasing patches to the public,read the Granfana security bulletin.

An attacker can exploit CVE-2022-31097 to escalate privilege from editor to admin by tricking an authenticated admin to click on a link.

Since the publicly reported bug had become a zero-day, Grafana Labs published the fix:

  • 2022-07-14 – CVE-2022-31097 originally patched for versions 9.0.3, 8.5.9, 8.4.10 and 8.3.10
  • 2022-08-02 Vulnerability reintroduced due to build process failure
  • 2022-11-25 11:41 Stored XSS issue raised in public repo
  • 2022-11-27 13:15 Issue moved to private repository
  • 2022-11-27 13:20 Incident raised
  • 2022-11-27 13:33 Identified regression from previous vulnerability
  • 2022-11-28 11:13 Verified hosted Grafana was not exploited
  • 2022-11-28 11:47 PRs submitted for fix with backports to 9.1 and 9.2
  • 2022-11-28 12:29 PRs submitted for fix with backports to 9.3
  • 2022-11-28 17:27 Verified that no other old fixes are missing from releases
  • 2022-11-29 23:58 New versions of Grafana released to public

Users running an affected installation of the aforementioned bugs are recommended to upgrade to the latest version (9.3.0 or 9.2.7) as soon as possible.