CVE-2023-0594: Stored XSS Vulnerability in Grafana's Trace View Visualization

Grafana is a popular open-source platform for monitoring and observability. It allows users to create visually appealing and information-rich dashboards to monitor various data sources. However, starting with the version 7. branch, Grafana had a stored Cross-Site Scripting (XSS) vulnerability in the trace view visualization component. This vulnerability was possible due to the improper sanitization of a span's attributes/resources, which could be rendered when the span's attributes/resources are expanded.

Vulnerability Details

CVE-2023-0594 is a stored XSS vulnerability in Grafana's trace view visualization that affects versions 7. and above. The issue occurs because the value of a span's attributes/resources are not properly sanitized, allowing an attacker to inject malicious JavaScript code. An attacker needs to have the Editor role in order to exploit this vulnerability. When exploited, it allows vertical privilege escalation, where a user with the Editor role can potentially change to a known password for a user having the Admin role if the user with the Admin role executes the malicious JavaScript.

Here's a code snippet illustrating the vulnerable behavior

// trace_view.js

expandSpanAttributes = (e) => {
    let spanAttributes = e.target.getAttribute('data-span-attributes');
    let unsanitizedHtml = spanAttributes;
    e.target.innerHTML = unsanitizedHtml;
}

In the code above, the expandSpanAttributes function takes a user-defined value (data-span-attributes) from an HTML element and directly sets it as the innerHTML property without proper sanitization. This allows the injection of malicious JavaScript code.

Exploit

An attacker could exploit this vulnerability by crafting a malicious trace view visualization with an injected JavaScript payload, as shown below:

{
  "attribute": "<img src=x onerror=alert('XSS')>",
  "resource": "<script>/* Malicious JavaScript code */</script>"
}

When a user with the Admin role interacts with the dashboard containing the malicious trace view visualization, the JavaScript payload could potentially execute, leading to vertical privilege escalation.

References

- Original advisory: Grafana Advisory
- Grafana GitHub Repository: Grafana GitHub

Remediation

To mitigate this vulnerability, users are advised to upgrade their Grafana instances to versions 8.5.21, 9.2.13, or 9.3.8, where this issue has been fixed. The patch properly sanitizes the user-defined values before rendering them in the Trace View Visualization, preventing the execution of malicious JavaScript.

Ensuring that all Grafana users are vigilant when viewing and interacting with dashboards.

It is strongly recommended that users upgrade their Grafana instances to the fixed versions to prevent potential exploits of this vulnerability.

Timeline

Published on: 03/01/2023 16:15:00 UTC
Last modified on: 03/09/2023 00:55:00 UTC