CVE-2022-31097
📋 TL;DR
Grafana versions 8.x and 9.x before specific patched releases are vulnerable to stored cross-site scripting (XSS) in the Unified Alerting feature. An attacker can exploit this to escalate privileges from editor to admin by tricking an authenticated admin into clicking a malicious link. This affects all Grafana deployments using vulnerable versions with Unified Alerting enabled.
💻 Affected Systems
- Grafana
📦 What is this software?
Grafana by Grafana
Grafana by Grafana
Grafana by Grafana
Grafana by Grafana
⚠️ Risk & Real-World Impact
Worst Case
An attacker gains full administrative control over the Grafana instance, allowing them to view/modify all dashboards, data sources, user accounts, and potentially access underlying systems.
Likely Case
Privilege escalation from editor to admin role, enabling unauthorized configuration changes and data access.
If Mitigated
Limited impact with proper network segmentation, admin user awareness training, and least privilege principles.
🎯 Exploit Status
Requires authenticated editor access and social engineering to trick an admin user. No public exploit code available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 9.0.3, 8.5.9, 8.4.10, or 8.3.10
Vendor Advisory: https://github.com/grafana/grafana/security/advisories/GHSA-vw7q-p2qg-4m5f
Restart Required: Yes
Instructions:
1. Backup Grafana configuration and data. 2. Stop Grafana service. 3. Upgrade to patched version using package manager or manual installation. 4. Restart Grafana service. 5. Verify version and functionality.
🔧 Temporary Workarounds
Disable Unified Alerting
allSwitch to legacy alerting system which is not vulnerable
Set alerting.enabled = false in grafana.ini configuration file
Disable Alerting Entirely
allCompletely disable alerting features
Set unified_alerting.enabled = false and alerting.enabled = false in grafana.ini
🧯 If You Can't Patch
- Implement strict network access controls to limit Grafana admin interface exposure
- Educate admin users about phishing risks and implement multi-factor authentication
🔍 How to Verify
Check if Vulnerable:
Check Grafana version via web interface (Settings → About) or command line. If version is 8.x < 8.5.9/8.4.10/8.3.10 or 9.x < 9.0.3, system is vulnerable.Check Version:
grafana-server -vVerify Fix Applied:
Confirm version is 9.0.3, 8.5.9, 8.4.10, or 8.3.10. Test Unified Alerting functionality remains operational.📡 Detection & Monitoring
Log Indicators:
- Unusual alert rule modifications
- Admin privilege escalation events
- Suspicious XSS payloads in alert configurations
Network Indicators:
- Unexpected outbound connections from Grafana server
- Unusual admin interface access patterns
SIEM Query:
source="grafana" AND (event="alert_rule_modified" OR event="user_role_changed")🔗 References
- https://github.com/grafana/grafana/security/advisories/GHSA-vw7q-p2qg-4m5f
- https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-5-9/
- https://grafana.com/docs/grafana/latest/release-notes/release-notes-9-0-3/
- https://grafana.com/docs/grafana/next/release-notes/release-notes-8-4-10/
- https://security.netapp.com/advisory/ntap-20220901-0010/
- https://github.com/grafana/grafana/security/advisories/GHSA-vw7q-p2qg-4m5f
- https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-5-9/
- https://grafana.com/docs/grafana/latest/release-notes/release-notes-9-0-3/
- https://grafana.com/docs/grafana/next/release-notes/release-notes-8-4-10/
- https://security.netapp.com/advisory/ntap-20220901-0010/
