Grafana Labs reports:
+++ +Grafana is vulnerable to directory traversal, allowing access to local files. We have confirmed this for versions v8.0.0-beta1 to v8.3.0. Thanks to our defense-in-depth approach, at no time has Grafana Cloud been vulnerable.
+The vulnerable URL path is: <grafana_host_url>/public/plugins/<“plugin-id”> where <“plugin-id”> is the plugin ID for any installed plugin.
+Every Grafana instance comes with pre-installed plugins like the Prometheus plugin or MySQL plugin so the following URLs are vulnerable for every instance:
++
+- <grafana_host_url>/public/plugins/alertlist/
+- <grafana_host_url>/public/plugins/annolist/
+- <grafana_host_url>/public/plugins/barchart/
+- <grafana_host_url>/public/plugins/bargauge/
+- <grafana_host_url>/public/plugins/candlestick/
+- <grafana_host_url>/public/plugins/cloudwatch/
+- <grafana_host_url>/public/plugins/dashlist/
+- <grafana_host_url>/public/plugins/elasticsearch/
+- <grafana_host_url>/public/plugins/gauge/
+- <grafana_host_url>/public/plugins/geomap/
+- <grafana_host_url>/public/plugins/gettingstarted/
+- <grafana_host_url>/public/plugins/grafana-azure-monitor-datasource/
+- <grafana_host_url>/public/plugins/graph/
+- <grafana_host_url>/public/plugins/heatmap/
+- <grafana_host_url>/public/plugins/histogram/
+- <grafana_host_url>/public/plugins/influxdb/
+- <grafana_host_url>/public/plugins/jaeger/
+- <grafana_host_url>/public/plugins/logs/
+- <grafana_host_url>/public/plugins/loki/
+- <grafana_host_url>/public/plugins/mssql/
+- <grafana_host_url>/public/plugins/mysql/
+- <grafana_host_url>/public/plugins/news/
+- <grafana_host_url>/public/plugins/nodeGraph/
+- <grafana_host_url>/public/plugins/opentsdb
+- <grafana_host_url>/public/plugins/piechart/
+- <grafana_host_url>/public/plugins/pluginlist/
+- <grafana_host_url>/public/plugins/postgres/
+- <grafana_host_url>/public/plugins/prometheus/
+- <grafana_host_url>/public/plugins/stackdriver/
+- <grafana_host_url>/public/plugins/stat/
+- <grafana_host_url>/public/plugins/state-timeline/
+- <grafana_host_url>/public/plugins/status-history/
+- <grafana_host_url>/public/plugins/table/
+- <grafana_host_url>/public/plugins/table-old/
+- <grafana_host_url>/public/plugins/tempo/
+- <grafana_host_url>/public/plugins/testdata/
+- <grafana_host_url>/public/plugins/text/
+- <grafana_host_url>/public/plugins/timeseries/
+- <grafana_host_url>/public/plugins/welcome/
+- <grafana_host_url>/public/plugins/zipkin/
+
Grafana Labs reports:
+++ +When the fine-grained access control beta feature is enabled and there is more than one organization in the Grafana instance, Grafana 8.0 introduced a mechanism which allowed users with the Organization Admin role to list, add, remove, and update users’ roles in other organizations in which they are not an admin.
+
Grafana Labs reports:
+++ +If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, arbitrary JavaScript content may be executed within the context of the victim’s browser.
+The user visiting the malicious link must be unauthenticated, and the link must be for a page that contains the login button in the menu bar.
+There are two ways an unauthenticated user can open a page in Grafana that contains the login button:
++
+- Anonymous authentication is enabled. This means all pages in Grafana would be open for the attack.
+- The link is to an unauthenticated page. The following pages are vulnerable: +
++
+- +
/dashboard-solo/snapshot/*
- +
/dashboard/snapshot/*
- +
/invite/:code
The url has to be crafted to exploit AngularJS rendering and contain the interpolation binding for AngularJS expressions. AngularJS uses double curly braces for interpolation binding:
+{{ }}
An example of an expression would be:
+ +{{constructor.constructor(‘alert(1)’)()}}
. This can be included in the link URL like this:When the user follows the link and the page renders, the login button will contain the original link with a query parameter to force a redirect to the login page. The URL is not validated, and the AngularJS rendering engine will execute the JavaScript expression contained in the URL.
+