Bug 2072429 (CVE-2022-24812) - CVE-2022-24812 grafana: Privilege Escalation in grafana enterprise
Summary: CVE-2022-24812 grafana: Privilege Escalation in grafana enterprise
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2022-24812
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2072434
TreeView+ depends on / blocked
 
Reported: 2022-04-06 09:43 UTC by Avinash Hanwate
Modified: 2023-09-01 03:08 UTC (History)
63 users (show)

Fixed In Version: grafana-enterprise 8.4.6
Doc Type: ---
Doc Text:
A flaw was found in Grafana Enterprise. When the fine-grained access control beta feature is enabled, Grafana 8.1.0-beta1 introduces the Privilege Escalation vulnerability.
Clone Of:
Environment:
Last Closed: 2022-04-18 08:27:02 UTC
Embargoed:

Attachments (Terms of Use)

Description Avinash Hanwate 2022-04-06 09:43:17 UTC 
When the fine-grained access control beta feature is enabled, Grafana 8.1.0-beta1 introduced the Privilege Escalation vulnerability. When a client uses Grafana API Key to make requests, the permissions for that API Key are cached for 30 seconds for the given organization. Because of the way the cache key is constructed, the consequent requests with any API Key evaluate to the same permissions as the previous requests. This can lead to an escalation of privileges, when for example a first request is made with Admin permissions, and the second request with different API Key is made with Viewer permissions, the second request will get the cached permissions from the previous Admin, essentially accessing higher privilege than it should.
Comment 3 Product Security DevOps Team 2022-04-18 08:26:58 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-24812
Note You need to log in before you can comment on or make changes to this bug.