API token attackers can leverage this issue to obtain data for which they may not have intended to have access. Attackers can exploit this issue to configure API token data sources to forward the OAuth token of the most recently logged-in user, allowing API token attackers to retrieve data for which they may not have intended to have access. This attack can be mitigated by updating to a version that has been patched, disabling the Forward OAuth Identity feature, and securing API keys. To update to a patched version, update the running Grafana instance, or patch the running Grafana instance with a version-update-only update. To mitigate this issue, API token users should update to a patched version, disable the Forward OAuth Identity feature, and secure API keys.
Vulnerability overview
CVE-2023-13605
When a user creates an account on the Grafana instance, it will automatically create an API token that is shared with the user and can be used to authenticate data access. The API token will be created in the /var/lib/grafana/apps/[app_id] directory. If two or more users are logged into Grafana when this issue occurs, there is a chance that one of these users will get unauthorized access to another's API token.
CVE-2023-21674
Recovery key in the Cache API can be accessed by malicious users through the API token. Attackers can leverage this issue to configure Recovery key data sources to retrieve data at a time of their choosing, allowing Recovery key attackers to access data that was not intended for them. This attack can be mitigated by updating to a version that has been patched and securing API keys from unauthorized users. To mitigate this issue, API token users should update to a patched version and secure API keys from unauthorized users.
CVE-2019-0265
This vulnerability is an elevation of privilege vulnerability that allows access to the Dashboard page. Exploitation of this vulnerability would allow a malicious user to gain access to the Dashboard page and overwrite its contents. Mitigation for this issue includes requiring users to log in before accessing the Dashboard.
Timeline
Published on: 01/18/2022 22:15:00 UTC
Last modified on: 05/14/2022 03:16:00 UTC
References
- https://github.com/grafana/grafana/security/advisories/GHSA-8wjh-59cw-9xh4
- https://github.com/grafana/grafana/releases/tag/v8.3.4
- https://github.com/grafana/grafana/releases/tag/v7.5.13
- https://security.netapp.com/advisory/ntap-20220303-0004/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HLAQRRGNSO5MYCPAXGPH2OCSHOGHSQMQ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2PFW6Q2LXXWTFRTMTRN4ZGADFRQPKJ3D/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/36GUEPA5TPSC57DZTPYPBL6T7UPQ2FRH/
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-21673