CSRF vulnerability in Grafana open source tool allows hackers to elevate their privileges through cross-origin attacks against administrators

Two security researchers reported the detection of a critical vulnerability in the popular Grafana dashboard. Tracked as CVE-2022-21703, the flaw was described as a server-side request forgery (CSRF) that would allow threat actors to obtain administrator privileges on vulnerable systems.

According to the report, Grafana versions prior to 7.5.15 and 8.3.5 are vulnerable and their users need to apply the security patches that are already available at the time of writing.

The vulnerabilities, reported by security researchers/bug bounty hunters “jub0bs” and “abrahack”, could be exploited in security tests to allow embedding of authenticated dashboard boxes at increased risk of potential cross-origin attacks. There are no known workarounds to mitigate exploitation risk, so administrators of affected deployments are encouraged to upgrade as soon as possible.

The researchers report that the potential consequences of the vulnerability should be of concern to system administrators: “This attack would allow the deployment of XSS scenarios, privilege escalations, and server-side request forgery,” the report said.

Specialists believe that the vulnerability exists due to the combination of three security deficiencies: over-reliance on the SameSite cookie attribute, weak validation of the content type of requests, and incorrect assumptions about cross-origin resource sharing.

Some conditions must be met before exploiting the attack, although this does not reduce the risk of exploitation: “If threat actors target an instance of Grafana with a default configuration in grafana.example.com, an XSS attack or domain hijacking is needed,” the experts report.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.