Two security researchers reported the detection of a critical vulnerability in the popular Grafana dashboard. Tracked as CVE-2022-21703, the flaw was described as a server-side request forgery (CSRF) that would allow threat actors to obtain administrator privileges on vulnerable systems.
According to the report, Grafana versions prior to 7.5.15 and 8.3.5 are vulnerable and their users need to apply the security patches that are already available at the time of writing.
The vulnerabilities, reported by security researchers/bug bounty hunters “jub0bs” and “abrahack”, could be exploited in security tests to allow embedding of authenticated dashboard boxes at increased risk of potential cross-origin attacks. There are no known workarounds to mitigate exploitation risk, so administrators of affected deployments are encouraged to upgrade as soon as possible.
The researchers report that the potential consequences of the vulnerability should be of concern to system administrators: “This attack would allow the deployment of XSS scenarios, privilege escalations, and server-side request forgery,” the report said.
Specialists believe that the vulnerability exists due to the combination of three security deficiencies: over-reliance on the SameSite cookie attribute, weak validation of the content type of requests, and incorrect assumptions about cross-origin resource sharing.
Some conditions must be met before exploiting the attack, although this does not reduce the risk of exploitation: “If threat actors target an instance of Grafana with a default configuration in grafana.example.com, an XSS attack or domain hijacking is needed,” the experts report.
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.