Bug 2072429 (CVE-2022-24812)

Summary: CVE-2022-24812 grafana: Privilege Escalation in grafana enterprise
Product: [Other] Security Response Reporter: Avinash Hanwate <ahanwate>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: agerstmayr, amackenz, amasferr, amctagga, amuller, anpicker, aoconnor, aos-bugs, avibelli, bgeorges, bmontgom, bniver, chazlett, clement.escoffier, dandread, dkreling, drieden, eparis, erooth, flucifre, gmeno, go-sig, gparvin, grafana-maint, gsmet, hamadhan, jburrell, jkurik, jochrist, jokerman, jramanat, jwendell, jwon, krathod, lthon, mbenjamin, mgoodwin, mhackett, mkudlej, mszynkie, nathans, njean, nstielau, ovanders, pahickey, peholase, pgallagh, pjindal, probinso, rcernich, rruss, rsvoboda, sbiarozk, sdouglas, security-response-team, sostapov, spasquie, sponnaga, stcannon, tjochec, twalsh, vereddy, zebob.m
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: grafana-enterprise 8.4.6 Doc Type: ---
Doc Text:
A flaw was found in Grafana Enterprise. When the fine-grained access control beta feature is enabled, Grafana 8.1.0-beta1 introduces the Privilege Escalation vulnerability.
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-04-18 08:27:02 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 2072434    

Description Avinash Hanwate 2022-04-06 09:43:17 UTC
When the fine-grained access control beta feature is enabled, Grafana 8.1.0-beta1 introduced the Privilege Escalation vulnerability. When a client uses Grafana API Key to make requests, the permissions for that API Key are cached for 30 seconds for the given organization. Because of the way the cache key is constructed, the consequent requests with any API Key evaluate to the same permissions as the previous requests. This can lead to an escalation of privileges, when for example a first request is made with Admin permissions, and the second request with different API Key is made with Viewer permissions, the second request will get the cached permissions from the previous Admin, essentially accessing higher privilege than it should.

Comment 3 Product Security DevOps Team 2022-04-18 08:26:58 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):