Bug 2102254 (CVE-2022-32275)

Summary: CVE-2022-32275 grafana: session control failure may lead to information disclosure
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: agerstmayr, aoconnor, bniver, flucifre, gmeno, grafana-maint, jkurik, mbenjamin, mgoodwin, mhackett, nathans, sostapov, vereddy
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in grafana. This vulnerability occurs when the traversal path is explored, and the authentication system redirects to an internal system page that authenticated users should only access.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2102623, 2102625, 2102626    
Bug Blocks: 2102255    

Description Marian Rehak 2022-06-29 14:18:37 UTC 
Grafana allows reading files via (for example) a /dashboard/snapshot/%7B%7Bconstructor.constructor'/.. /.. /.. /.. /.. /.. /.. /.. /etc/passwd URI.

Reference:

https://github.com/grafana/grafana/issues/50336
Comment 1 Andreas Gerstmayr 2022-06-29 14:55:09 UTC 
Hi Marian,

can you please add a reproducer, for example using curl, and note which Grafana version(s) are affected?
I cannot reproduce it so far using the above path on Grafana 7 or 8.


Thanks,
Andreas
Comment 7 Sandipan Roy 2022-06-30 11:42:30 UTC 
Created grafana tracking bugs for this issue:

Affects: fedora-all [bug 2102623]
Comment 9 Sandipan Roy 2022-07-14 13:48:55 UTC 
https://grafana.com/blog/2022/06/07/cve-2022-32276-and-cve-2022-32275-no-current-evidence-of-security-impact/