Today we are releasing Grafana 8.2.3. This patch release includes an important security fix for an issue that affects all Grafana versions from 8.0.0-beta1.
Grafana Cloud instances have already been patched and an audit did not find any usage of this attack vector. Grafana Enterprise customers were provided with updated binaries under embargo.
CVSS Score: 6.9 Medium CVSS:CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:N/E:U/RL:O/RC:R/CR:L/MAV:N/MAC:H/MPR:N/MUI:R/MS:C/MC:N/MI:H/MA:L
We received a security report to security@grafana.com on 2021-10-21 about a vulnerability in Grafana regarding the XSS vulnerability.
It was later identified as affecting Grafana versions from 8.0.0-beta1 to 8.2.2. CVE-2021-41174 has been assigned to this vulnerability.
If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, arbitrary JavaScript content may be executed within the context of the victim's browser.
The user visiting the malicious link must be unauthenticated and the link must be for a page that contains the login button in the menu bar.
There are two ways an unauthenticated user can open a page in Grafana that contains the login button:
- Anonymous authentication is enabled. This means all pages in Grafana would be open for the attack.
- The link is to an unauthenticated page. The following pages are vulnerable:
- /dashboard-solo/snapshot/*
- /dashboard/snapshot/*
- /invite/:code
The url has to be crafted to exploit AngularJS rendering and contain the interpolation binding for AngularJS expressions. AngularJS uses double curly braces for interpolation binding: {{ }}
An example of an expression would be: {{constructor.constructor(‘alert(1)’)()}}
. This can be included in the link URL like this:
https://play.grafana.org/dashboard/snapshot/%7B%7Bconstructor.constructor('alert(1)')()%7D%7D?orgId=1
When the user follows the link and the page renders, the login button will contain the original link with a query parameter to force a redirect to the login page. The URL is not validated and the AngularJS rendering engine will execute the JavaScript expression contained in the URL.
We can not guarantee that the below will identify all attacks, so if you find something using the audit process described below, you should consider doing a full assessment.
To determine if your Grafana installation has been exploited for this vulnerability, search through your reverse proxy/load balancer access logs for instances where the path contains {{
followed by something that would invoke JavaScript code. For example, this could be code that attempts to show a fake login page or to steal browser or session data. The OWASP cheat sheet has several examples of XSS attacks.
If you enabled “Log web requests” in your configuration with router_logging = true
, look for requests where path
contains {{
followed by something that would invoke JavaScript code.
Release 8.2.3:
Download and install the appropriate patch for your version of Grafana.
Grafana Cloud instances have already been patched, and Grafana Enterprise customers were provided with updated binaries under embargo.
If for some reason you cannot upgrade, you can use a reverse proxy or similar to block access to block the literal string {{
in the path.
Example of an Nginx rule to block the literal string {{
:
location ~ \{\{ {
deny all;
}
Here is a detailed timeline starting from when we originally learned of the issue. All times in UTC.
If you think you have found a security vulnerability, please send a report to security@grafana.com. This address can be used for all of Grafana Labs' open source and commercial products (including but not limited to Grafana, Tempo, Loki, k6, Tanka, and Grafana Cloud, Grafana Enterprise, and grafana.com). We only accept vulnerability reports at this address. We would prefer that you encrypt your message to us using our PGP key. The key fingerprint is:
F988 7BEA 027A 049F AE8E 5CAA D125 8932 BE24 C5CA
The key is available from keyserver.ubuntu.com by searching for security@grafana.
There is a Security category on the Grafana blog where we will post a summary, remediation, and mitigation details for any patch containing security fixes and you can subscribe to updates from our Security Announcements RSS feed.