CVE-2022-31107
📋 TL;DR
This vulnerability allows an authenticated malicious user to take over another user's Grafana account via OAuth login manipulation. It affects Grafana instances with OAuth authentication enabled where users can log in via external OAuth providers. The attacker needs to know the target's Grafana username and meet specific OAuth configuration conditions.
💻 Affected Systems
- Grafana
📦 What is this software?
Grafana by Grafana
Grafana by Grafana
Grafana by Grafana
Grafana by Grafana
⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover of any Grafana user, allowing unauthorized access to sensitive monitoring data, dashboards, and potentially administrative functions.
Likely Case
Targeted account compromise of specific users, leading to unauthorized data access and potential privilege escalation within the Grafana instance.
If Mitigated
No impact if OAuth is disabled or all OAuth users have properly linked Grafana accounts with their email addresses.
🎯 Exploit Status
Exploitation requires authenticated access to OAuth provider and knowledge of target's Grafana username. The vulnerability is well-documented in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 9.0.3, 8.5.9, 8.4.10, or 8.3.10
Vendor Advisory: https://github.com/grafana/grafana/security/advisories/GHSA-mx47-6497-3fv2
Restart Required: Yes
Instructions:
1. Identify your Grafana version. 2. Upgrade to the appropriate patched version based on your current version: 9.x to 9.0.3, 8.5.x to 8.5.9, 8.4.x to 8.4.10, or 8.3.x to 8.3.10. 3. Restart Grafana service. 4. Verify the upgrade was successful.
🔧 Temporary Workarounds
Disable OAuth Authentication
allTemporarily disable OAuth login until patching is possible
Edit grafana.ini configuration file and set [auth.oauth] enabled = false
Restart Grafana service
Ensure OAuth User Account Linking
allCreate Grafana accounts for all OAuth users linked to their email addresses
Use Grafana admin interface to create user accounts with matching email addresses for all OAuth users
🧯 If You Can't Patch
- Disable OAuth authentication completely
- Implement strict access controls and monitoring for OAuth login events
🔍 How to Verify
Check if Vulnerable:
Check Grafana version and OAuth configuration. If version is between 5.3 and 9.0.2 (excluding patched versions) and OAuth is enabled, the system is vulnerable.Check Version:
grafana-server -v or check Grafana web interface About pageVerify Fix Applied:
Verify Grafana version shows 9.0.3, 8.5.9, 8.4.10, or 8.3.10 or higher.📡 Detection & Monitoring
Log Indicators:
- Multiple failed login attempts followed by successful login from same OAuth provider
- User account accessed from unexpected OAuth identity
- OAuth login events where external user ID changes for existing account
Network Indicators:
- Unusual OAuth authentication patterns
- Multiple authentication requests from same OAuth provider in short timeframe
SIEM Query:
source="grafana" AND (event="oauth_login" OR event="user_login") | stats count by user, oauth_provider, src_ip | where count > threshold🔗 References
- https://github.com/grafana/grafana/security/advisories/GHSA-mx47-6497-3fv2
- https://grafana.com/docs/grafana/next/release-notes/release-notes-8-4-10/
- https://grafana.com/docs/grafana/next/release-notes/release-notes-8-5-9/
- https://grafana.com/docs/grafana/next/release-notes/release-notes-9-0-3/
- https://security.netapp.com/advisory/ntap-20220901-0010/
- https://github.com/grafana/grafana/security/advisories/GHSA-mx47-6497-3fv2
- https://grafana.com/docs/grafana/next/release-notes/release-notes-8-4-10/
- https://grafana.com/docs/grafana/next/release-notes/release-notes-8-5-9/
- https://grafana.com/docs/grafana/next/release-notes/release-notes-9-0-3/
- https://security.netapp.com/advisory/ntap-20220901-0010/
