CVE-2022-31107

Name of the Vulnerable Software and Affected Versions Grafana versions 5.3 through 9.0.3 Grafana versions 8.3 through 8.3.10 Grafana versions 8.4 through 8.4.10 Grafana versions 8.5 through 8.5.9

Description The issue is related to an authorization problem in the Grafana platform, allowing a malicious user to take over another user's account. This can happen when the malicious user is authorized to log in via a configured OAuth IdP, their external user ID and email address are not associated with a Grafana account, and they know the target user's Grafana username. The malicious user can then set their username in the OAuth provider to that of the target user and log in to Grafana, gaining access to the target user's account.

Recommendations For versions 5.3 through 9.0.3, update to version 9.0.3 or later. For versions 8.3 through 8.3.10, update to version 8.3.10 or later. For versions 8.4 through 8.4.10, update to version 8.4.10 or later. For versions 8.5 through 8.5.9, update to version 8.5.9 or later. As a temporary workaround, consider disabling OAuth login to the Grafana instance, or ensure that all users authorized to log in via OAuth have a corresponding user account in Grafana linked to their email address.