CVE-2022-24812
📋 TL;DR
This vulnerability in Grafana Enterprise allows privilege escalation when fine-grained access control is enabled. An attacker can use a lower-privilege API key to inherit cached permissions from a previously used higher-privilege API key, gaining unauthorized access. Only Grafana Enterprise installations with fine-grained access control enabled and multiple API keys with different roles are affected.
💻 Affected Systems
- Grafana Enterprise
📦 What is this software?
Grafana by Grafana
⚠️ Risk & Real-World Impact
Worst Case
An attacker with a Viewer API key could gain Admin privileges, allowing full control over the Grafana instance including data manipulation, user management, and system configuration changes.
Likely Case
Unauthorized access to dashboards, data sources, or administrative functions beyond the assigned permission level, potentially leading to data exposure or manipulation.
If Mitigated
With fine-grained access control disabled or proper patching, the vulnerability is eliminated and API keys function with correct permission boundaries.
🎯 Exploit Status
Exploitation requires valid API keys and specific configuration conditions. The advisory provides technical details but no public exploit code.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Grafana Enterprise 8.4.6 and later
Vendor Advisory: https://github.com/grafana/grafana/security/advisories/GHSA-82gq-xfg3-5j7v
Restart Required: Yes
Instructions:
1. Backup your Grafana configuration and data. 2. Download Grafana Enterprise 8.4.6 or later from official sources. 3. Stop the Grafana service. 4. Install the updated version following your platform's installation procedures. 5. Restart the Grafana service. 6. Verify the upgrade was successful.
🔧 Temporary Workarounds
Disable Fine-Grained Access Control
allTemporarily disable the vulnerable feature until patching can be completed.
Edit grafana.ini configuration file and set: [auth.basic] enabled = false
Or use Grafana admin interface to disable fine-grained access control
🧯 If You Can't Patch
- Disable fine-grained access control immediately
- Rotate all API keys and implement strict API key usage monitoring
🔍 How to Verify
Check if Vulnerable:
Check if running Grafana Enterprise version between 8.1.0-beta1 and 8.4.5 AND fine-grained access control is enabled AND multiple API keys with different roles exist in any organization.Check Version:
grafana-server -vVerify Fix Applied:
Verify Grafana Enterprise version is 8.4.6 or higher using the version check command and confirm fine-grained access control functions correctly with API key testing.📡 Detection & Monitoring
Log Indicators:
- Unusual API key usage patterns
- API requests from same source with different privilege levels in quick succession
- Permission denied errors followed by successful access
Network Indicators:
- Rapid API key switching in API requests
- Unexpected privilege escalation in API call sequences
SIEM Query:
source="grafana" AND ("API Key" OR "authentication") AND ("permission" OR "access") AND ("escalation" OR "unauthorized")🔗 References
- https://github.com/grafana/grafana/security/advisories/GHSA-82gq-xfg3-5j7v
- https://grafana.com/blog/2022/04/12/grafana-enterprise-8.4.6-released-with-high-severity-security-fix/
- https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-4-6/
- https://security.netapp.com/advisory/ntap-20220519-0005/
- https://github.com/grafana/grafana/security/advisories/GHSA-82gq-xfg3-5j7v
- https://grafana.com/blog/2022/04/12/grafana-enterprise-8.4.6-released-with-high-severity-security-fix/
- https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-4-6/
- https://security.netapp.com/advisory/ntap-20220519-0005/
