CVE-2022-31107: Grafana account takeover via OAuth vulnerability
First published: Wed Jul 06 2022(Updated: )
A flaw was found in Grafana. This flaw allows a malicious user with the authorization to log into a Grafana instance via a configured OAuth IdP to take over an existing Grafana account under certain conditions.
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/grafana | <0:7.5.11-3.el8_6 | 0:7.5.11-3.el8_6 |
| redhat/grafana | <0:6.2.2-9.el8_1 | 0:6.2.2-9.el8_1 |
| redhat/grafana | <0:6.3.6-5.el8_2 | 0:6.3.6-5.el8_2 |
| redhat/grafana | <0:7.3.6-5.el8_4 | 0:7.3.6-5.el8_4 |
| redhat/grafana | <0:7.5.11-5.el9_0 | 0:7.5.11-5.el9_0 |
| Grafana Grafana | >=5.3.0<8.3.10 | |
| Grafana Grafana | >=8.4.0<8.4.10 | |
| Grafana Grafana | >=8.5.0<8.5.9 | |
| Grafana Grafana | >=9.0.0<9.0.3 | |
| Netapp E-series Performance Analyzer | ||
| redhat/Grafana | <9.0.3 | 9.0.3 |
| redhat/Grafana | <8.5.9 | 8.5.9 |
| redhat/Grafana | <8.4.10 | 8.4.10 |
| redhat/Grafana | <8.3.10 | 8.3.10 |
| go/github.com/grafana/grafana | >=9.0.0<9.0.3 | 9.0.3 |
| go/github.com/grafana/grafana | >=8.5.0<8.5.9 | 8.5.9 |
| go/github.com/grafana/grafana | >=8.4.0<8.4.10 | 8.4.10 |
| go/github.com/grafana/grafana | >=5.3<8.3.10 | 8.3.10 |
Remedy
As a workaround, it is possible to disable any OAuth login or ensure that all users authorized to log in via OAuth have a corresponding user account in Grafana linked to their email address.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2022-31107 https://nvd.nist.gov/vuln/detail/CVE-2022-31107 https://github.com/grafana/grafana/security/advisories/GHSA-mx47-6497-3fv2
- https://bugzilla.redhat.com/show_bug.cgi?id=2104367
- https://access.redhat.com/errata/RHSA-2023:3642
- https://access.redhat.com/errata/RHSA-2022:5717
- https://access.redhat.com/errata/RHSA-2022:5720
- https://access.redhat.com/errata/RHSA-2022:5719
- https://access.redhat.com/errata/RHSA-2022:5718
- https://access.redhat.com/errata/RHSA-2022:5716
- https://access.redhat.com/security/cve/cve-2022-31107
- https://github.com/grafana/grafana/security/advisories/GHSA-mx47-6497-3fv2
- https://grafana.com/docs/grafana/next/release-notes/release-notes-8-4-10/
- https://grafana.com/docs/grafana/next/release-notes/release-notes-8-5-9/
- https://grafana.com/docs/grafana/next/release-notes/release-notes-9-0-3/
- https://security.netapp.com/advisory/ntap-20220901-0010/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2107435
- https://access.redhat.com/errata/RHSA-2022:8057
- https://nvd.nist.gov/vuln/detail/CVE-2022-31107
- https://grafana.com/docs/grafana/next/release-notes/release-notes-8-4-10
- https://grafana.com/docs/grafana/next/release-notes/release-notes-8-5-9
- https://grafana.com/docs/grafana/next/release-notes/release-notes-9-0-3
- https://security.netapp.com/advisory/ntap-20220901-0010
- https://github.com/advisories/GHSA-mx47-6497-3fv2 (Advisory)
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is the vulnerability ID of this Grafana flaw?
The vulnerability ID of this Grafana flaw is CVE-2022-31107.
What is Grafana?
Grafana is an open-source platform for monitoring and observability.
What versions of Grafana are affected by this vulnerability?
Versions 5.3 until 9.0.3, 8.5.9, 8.4.10, and 8.3.10 of Grafana are affected by this vulnerability.
How can a malicious user exploit this vulnerability?
A malicious user with authorization can log into a Grafana instance via a configured OAuth IdP and take over the account of another user.
What is the severity of this vulnerability?
The severity of this vulnerability is high, with a CVSS (Common Vulnerability Scoring System) score of 7.1.
- collector/redhat-cve
- collector/nvd-index
- agent/type
- agent/first-publish-date
- agent/severity
- agent/remedy
- agent/weakness
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2022-31107
- agent/software-canonical-lookup
- agent/references
- agent/softwarecombine
- agent/description
- collector/nvd-cve
- source/NVD
- agent/author
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/event
- agent/tags
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-mx47-6497-3fv2
- agent/last-modified-date
- collector/github-advisory
- agent/trending
- package-manager/redhat
- vendor/grafana
- canonical/grafana grafana
- version/grafana grafana/5.3.0
- version/grafana grafana/8.4.0
- version/grafana grafana/8.5.0
- version/grafana grafana/9.0.0
- vendor/netapp
- canonical/netapp e-series performance analyzer
- package-manager/go