CVE-2022-21673
Summary
| CVE | CVE-2022-21673 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2022-01-18 22:15:00 UTC |
| Updated | 2023-11-07 03:43:00 UTC |
| Description | Grafana is an open-source platform for monitoring and observability. In affected versions when a data source has the Forward OAuth Identity feature enabled, sending a query to that datasource with an API token (and no other user credentials) will forward the OAuth Identity of the most recently logged-in user. This can allow API token holders to retrieve data for which they may not have intended access. This attack relies on the Grafana instance having data sources that support the Forward OAuth Identity feature, the Grafana instance having a data source with the Forward OAuth Identity feature toggled on, the Grafana instance having OAuth enabled, and the Grafana instance having usable API keys. This issue has been patched in versions 7.5.13 and 8.3.4. |
Risk And Classification
Problem Types: NVD-CWE-Other
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Fedoraproject | Fedora | 34 | All | All | All |
| Operating System | Fedoraproject | Fedora | 35 | All | All | All |
| Operating System | Fedoraproject | Fedora | 36 | All | All | All |
| Application | Grafana | Grafana | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Release 8.3.4 (2022-01-17) · grafana/grafana · GitHub | MISC | github.com | |
| [SECURITY] Fedora 35 Update: grafana-7.5.15-2.fc35 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| [SECURITY] Fedora 36 Update: grafana-7.5.15-2.fc36 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| [SECURITY] Fedora 34 Update: grafana-7.5.15-2.fc34 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| CVE-2022-21673 Grafana Vulnerability in NetApp Products | NetApp Product Security | CONFIRM | security.netapp.com | |
| Forward OAuth Identity Token can allow users to access some data sources · Advisory · grafana/grafana · GitHub | CONFIRM | github.com | |
| [SECURITY] Fedora 36 Update: grafana-7.5.15-2.fc36 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| [SECURITY] Fedora 34 Update: grafana-7.5.15-2.fc34 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| Release 7.5.13 (2022-01-18) · grafana/grafana · GitHub | MISC | github.com | |
| [SECURITY] Fedora 35 Update: grafana-7.5.15-2.fc35 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 160238 Oracle Enterprise Linux Security Update for grafana (ELSA-2022-7519)
- 160278 Oracle Enterprise Linux Security Update for grafana (ELSA-2022-8057)
- 240850 Red Hat Update for grafana security (RHSA-2022:7519)
- 240902 Red Hat Update for grafana security (RHSA-2022:8057)
- 282601 Fedora Security Update for grafana (FEDORA-2022-83405f9d5b)
- 282602 Fedora Security Update for grafana (FEDORA-2022-9dd03cab55)
- 502304 Alpine Linux Security Update for grafana
- 752251 SUSE Enterprise Linux Security Update for SUSE Manager Client Tools (SUSE-SU-2022:2134-1)
- 940770 AlmaLinux Security Update for grafana (ALSA-2022:7519)
- 940826 AlmaLinux Security Update for grafana (ALSA-2022:8057)
- 960182 Rocky Linux Security Update for grafana (RLSA-2022:7519)
- 960528 Rocky Linux Security Update for grafana (RLSA-2022:8057)