7.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-31097

GHSA ID

GHSA-vw7q-p2qg-4m5f

EPSS Score

0.97641%

CWE

CWE-79

Published

5/14/2024

Updated

11/18/2024

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-31097

CVE-2022-31097: Grafana Stored Cross-site Scripting in Unified Alerting

Today we are releasing Grafana 8.3.10, 8.4.10, 8.5.9 and 9.0.3. This patch release includes a HIGH severity security fix for a stored Cross Site Scripting in Grafana.

Release v.9.0.3, containing this security fix and other patches:

Release v.8.5.9, containing this security fix and other fixes:

Release v.8.4.10, containing this security fix and other fixes:

Release v.8.3.10, containing this security fix and other fixes:

Download Grafana 8.3.10

Stored XSS (CVE-2022-31097)

Summary

On June 19 a security researcher contacted Grafana Labs to disclose a XSS vulnerability in the Unified Alerting feature of Grafana. After analysis, this stored XSS could be used to elevate privileges from Editor to Admin.

We believe that this vulnerability is rated at CVSS 7.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N).

Impact

An attacker can exploit this vulnerability to escalate privilege from editor to admin by tricking an authenticated admin to click on a link.

Affected versions with HIGH severity

All Grafana >=8.0 versions are affected by this vulnerability.

Solutions and mitigations

All installations after Grafana v8.0 should be upgraded as soon as possible.

As a workaround it is possible to disable alerting or use legacy alerting.

Appropriate patches have been applied to Grafana Cloud and as always, we closely coordinated with all cloud providers licensed to offer Grafana Pro. They have received early notification under embargo and confirmed that their offerings are secure at the time of this announcement. This is applicable to Amazon Managed Grafana.

Timeline

Here is a detailed timeline starting from when we originally learned of the issue. All times in UTC.

2022-06-19 10:32 - Research submission of vulnerability report 2022-06-20 14:35- Issue triaged, confirmed positive, and internal incident raised 2022-06-20 18:40 - Fix PR submitted and reviewed 2022-06-23 07:12 - All Grafana Cloud hosted Grafana instances patched 2022-07-05 07:14 - Customers informed under embargo 2022-07-14 02:00 - Public release

Acknowledgement

We would like to thank Maxim Misharin for responsibly disclosing the vulnerability.

Reporting security issues

If you think you have found a security vulnerability, please send a report to security@grafana.com. This address can be used for all of Grafana Labs' open source and commercial products (including, but not limited to Grafana, Grafana Cloud, Grafana Enterprise, and grafana.com). We can accept only vulnerability reports at this address. We would prefer that you encrypt your message to us by using our PGP key. The key fingerprint is

F988 7BEA 027A 049F AE8E 5CAA D125 8932 BE24 C5CA

The key is available from keyserver.ubuntu.com.

Security announcements

We maintain a security category on our blog, where we will always post a summary, remediation, and mitigation details for any patch containing security fixes.

You can also subscribe to our RSS feed.

(GitHub Advisory)

7.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-31097

GHSA ID

GHSA-vw7q-p2qg-4m5f

EPSS Score

0.97641%

CWE

CWE-79

Published

5/14/2024

Updated

11/18/2024

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/grafana/grafana	go	>= 9.0.0, < 9.0.3	9.0.3
github.com/grafana/grafana	go	>= 8.5.0, < 8.5.9	8.5.9
github.com/grafana/grafana	go	>= 8.4.0, < 8.4.10	8.4.10
github.com/grafana/grafana	go	>= 8.0.0, < 8.3.10	8.3.10

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The provided vulnerability information describes a stored XSS in Grafana's Unified Alerting feature but does not include specific code references, commit diffs, or patch details. While the advisory clearly identifies the vulnerable component (Unified Alerting) and attack vector (stored XSS via crafted alert content), there is insufficient technical detail to determine the exact vulnerable functions. The CWE-79 classification confirms improper input sanitization, but without access to the specific code changes in versions 8.3.10/8.4.10/8.5.9/9.0.3, we cannot confidently identify the exact functions responsible for rendering or processing alert content that lacked proper HTML escaping.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

To**y w* *r* r*l**sin* *r***n* *.*.**, *.*.**, *.*.* *n* *.*.*. T*is p*t** r*l**s* in*lu**s * *I** s*v*rity s**urity *ix *or * stor** *ross Sit* S*riptin* in *r***n*. R*l**s* v.*.*.*, *ont*inin* t*is s**urity *ix *n* ot**r p*t***s: - [*ownlo** *r**

Reasoning

T** provi*** vuln*r**ility in*orm*tion **s*ri**s * stor** XSS in *r***n*'s Uni*i** *l*rtin* ***tur* *ut *o*s not in*lu** sp**i*i* *o** r***r*n**s, *ommit *i**s, or p*t** **t*ils. W*il* t** **visory *l**rly i**nti*i*s t** vuln*r**l* *ompon*nt (Uni*i**

7.3

Basic Information

Concerned about an active attack path?

CVE-2022-31097: Grafana Stored Cross-site Scripting in Unified Alerting

Stored XSS (CVE-2022-31097)

Summary

Impact

Affected versions with HIGH severity

Solutions and mitigations

Timeline

Acknowledgement

Reporting security issues

Security announcements

7.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI