Researchers discovered a high-impact web security vulnerability in popular dashboard tool Grafana.
The CSRF vulnerability tracked as CVE-2022-21703 opens the door for attackers to elevate their privileges through cross-origin attacks against administrators on systems running vulnerable versions of the open source platform.
Grafana branch versions prior to 7.5.15 and 8.3.5 are all vulnerable and in need of security triage, according to the researchers.
The instances of Grafana configured to allow frame embedding of authenticated dashboards are at increased risk from potential cross-origin attacks. Currently no workarounds and only upgradation need to be done as soon as possible
The researcher said that the vulnerability stemmed from a combination of three security shortfalls: over-reliance on the SameSite cookie attribute, weak validation of requests’ content type, and incorrect assumptions about cross-origin resource sharing (CORS).
There are some pre-conditions for a successful attack, but even so assaults might easily be possible.
If an attacker is targeting a Grafana instance with a default configuration on grafana.example.com, an XSS or subtko subdomain takeover on some subdomain of example com is needed. The issue has been fixed in Grafana versions 7.5.15 and 8.3.5.