CVE-2022-21673

Name of the Vulnerable Software and Affected Versions Grafana versions prior to 7.5.13 Grafana versions prior to 8.3.4

Description The issue is related to the Forward OAuth Identity feature in Grafana, which can allow API token holders to retrieve data for which they may not have intended access. This occurs when a data source has the Forward OAuth Identity feature enabled and a query is sent to that data source with an API token and no other user credentials, forwarding the OAuth Identity of the most recently logged-in user. The attack relies on specific conditions, including the presence of data sources that support the Forward OAuth Identity feature, the feature being toggled on for a data source, OAuth being enabled, and the presence of usable API keys.

Recommendations For versions prior to 7.5.13, update to version 7.5.13 or later. For versions prior to 8.3.4, update to version 8.3.4 or later. As a temporary workaround, consider disabling the Forward OAuth Identity feature for all data sources until a patch is applied. Restrict access to data sources that support the Forward OAuth Identity feature to minimize the risk of exploitation. Avoid using API tokens for queries to data sources with the Forward OAuth Identity feature enabled until the issue is resolved.