SB2022071510 - Multiple vulnerabilities in Grafana

Description

This security bulletin contains information about 7 secuirty vulnerabilities.

1) Improper Authentication (CVE-ID: CVE-2022-31107)

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to an error in OAuth implementation routine. A remote attacker can bypass authentication process and login under arbitrary account.

2) Stored cross-site scripting (CVE-ID: CVE-2022-31097)

The disclosed vulnerability allows a remote user to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote user can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

3) Incorrect Regular Expression (CVE-ID: CVE-2020-7753)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing regular expressions. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.

4) Input validation error (CVE-ID: CVE-2021-3807)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input when matching crafted invalid ANSI escape codes in ansi-regex. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.

5) Code Injection (CVE-ID: CVE-2021-3918)

The disclosed vulnerability allows a remote attacker to execute arbitrary code on the system.

The vulnerability exists due to insufficient sanitization of user-supplied data during the validation of a JSON object. A remote attacker can pass a specially crafted JSON file for validation and execute arbitrary code.

6) Prototype pollution (CVE-ID: CVE-2021-43138)

The vulnerability allows a remote attacker to escalate privileges within the application.

The vulnerability exists due to improper input validation when handling data passed via the mapValues() method. A remote attacker can send a specially crafted request and escalate privileges within the application.

7) Information disclosure (CVE-ID: CVE-2022-0155)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application. A remote attacker can gain unauthorized access to sensitive information on the system.

Remediation

Install update from vendor's website.

References

• https://github.com/grafana/grafana/releases/tag/v8.4.10
• https://github.com/grafana/grafana/releases/tag/v9.0.3
• https://github.com/grafana/grafana/releases/tag/v8.5.9
• https://github.com/grafana/grafana/releases/tag/v8.3.10
• https://github.com/grafana/grafana/pull/52279
• https://github.com/grafana/grafana/security/advisories/GHSA-mx47-6497-3fv2
• https://github.com/grafana/grafana/security/advisories/GHSA-vw7q-p2qg-4m5f