Endpoints for data source plugins and proxies prior to 9.1.8 and 8.5.14 did not validate the HTTP header sent with the request. This allowed for an attacker to craft an HTTP request with a malicious HTTP header which could be accepted by an endpoint. This would result in an attacker being able to receive a user's authentication token if the endpoint was vulnerable to this issue.

This issue has been assigned the CVE identifier CVE-2019-5884. We are not aware of any active exploits at this time. Patches for all supported Grafana versions have been released and can be downloaded from our website. If you are using version prior to 9.1.8 or 8.5.14, you need to update to the latest version.

Summary

A vulnerability in data source plugins and proxies prior to 9.1.8 and 8.5.14 allowed for an attacker to craft an HTTP request with a malicious HTTP header which could be accepted by an endpoint. This would result in the attacker being able to receive a user's authentication token if the endpoint was vulnerable to this issue. To prevent exploitation, patches have been released for Grafana versions prior to 9.1.8 and 8.5.14, which need updating if you are using them.

Vulnerability Symptoms and pinpointing the vulnerability

This issue affects the server-side HTTP endpoint which is used for internal authentication. The following are some of the symptoms that indicate this vulnerability:
- Authentication tokens are being accepted by Grafana from an endpoint on the local network that does not have valid credentials.
- When attempting to authenticate with a service account, the user will be prompted for their username and password as well as a username and password that do not exist in the system.
- If a user is using Windows authentication and their computer has been compromised, they may see their token or session information being sent to an unknown IP on the network.

Timeline

Published on: 10/13/2022 23:15:00 UTC
Last modified on: 10/17/2022 13:31:00 UTC

References