CVE-2022-29170

Name of the Vulnerable Software and Affected Versions Grafana Enterprise versions 7.4.0-beta1 through 7.5.15 Grafana Enterprise versions 8.0.0 through 8.5.2

Description The issue is related to the Request security feature in Grafana Enterprise, which allows configuring the instance to only call specific hosts. However, a malicious datasource running on an allowed host can bypass these security configurations by returning an HTTP redirect to a forbidden host. This can potentially give secure information to clients. The vulnerability only impacts Grafana Enterprise when the Request security allow list is used and there is a possibility to add a custom datasource that returns HTTP redirects.

Recommendations For Grafana Enterprise versions 7.4.0-beta1 through 7.5.15, update to version 7.5.16 or later. For Grafana Enterprise versions 8.0.0 through 8.5.2, update to version 8.5.3 or later. As a temporary workaround, consider restricting the addition of custom datasources to minimize the risk of exploitation. Avoid using the Request security allow list feature until the issue is resolved.