CVE-2022-31107: Grafana OAuth Account Takeover Vulnerability

Open-source analytics and interactive visualization solution Grafana received a critical update recently to fix two high-severity security vulnerabilities that enabled account takeover.

The stored XSS vulnerability – tracked as CVE-2022-31097 – opens the door for attackers to elevate their privileges through cross-origin attacks against administrators on systems running vulnerable versions of the open source platform. The issue has a CVSS severity score of 7.3. This flaw affects Grafana Alerting (previously referred to as Unified Alerting when it was introduced in Grafana 8.0). Researcher Maxim Misharin has been credited with reporting this flaw.

Grafana branch versions v8.0 to v9.0.1 are all vulnerable and in need of security triage, according to the researchers. Fortunately, patches are already available.

Also resolved by Grafana in versions 9.0.3, 8.5.9, 8.4.10, and 8.3.10 is a severity flaw. Tracked as CVE-2022-31107, the flaw is an OAuth account takeover vulnerability with a CVSS severity score of 7.1. Grafana versions 5.3 to 9.0.1 are vulnerable. The HTTPVoid team has been credited with reporting this flaw.

Grafana Labs shows how to reproduce CVE-2022-31107

Make sure OAuth login is enabled.

1. Create an attacker user in the OAuth provider with a different email address than the targeted account but the same username (or with the targeted account’s email as username).
2. Log in using OAuth with the attacker user account.
3. You should now be in possession of the targeted account in Grafana.

According to public reports, there are thousands of Grafana servers exposed on the public internet. Users running an affected installation of the aforementioned bugs are recommended to upgrade to the latest version as soon as possible.