CVE-2022-21673 Overview
CVE-2022-21673 is an information disclosure vulnerability in Grafana, an open-source platform for monitoring and observability. When a data source has the Forward OAuth Identity feature enabled, sending a query to that datasource with an API token (and no other user credentials) will forward the OAuth Identity of the most recently logged-in user. This can allow API token holders to retrieve data for which they may not have intended access.
Critical Impact
API token holders can impersonate the most recently authenticated OAuth user and access data they should not have authorization to view.
Affected Products
- Grafana versions prior to 7.5.13
- Grafana versions 8.x prior to 8.3.4
- Fedora 34, 35, and 36 (via packaged Grafana)
Discovery Timeline
- 2022-01-18 - CVE-2022-21673 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-21673
Vulnerability Analysis
This vulnerability represents an authorization bypass issue that occurs due to improper handling of OAuth identity forwarding in Grafana's data source proxy functionality. The attack requires several specific conditions to be exploitable: the Grafana instance must have data sources that support the Forward OAuth Identity feature, at least one data source must have this feature enabled, OAuth authentication must be configured, and usable API keys must exist in the environment.
When these conditions are met, an attacker with a valid API token can send queries to a data source with Forward OAuth Identity enabled. Instead of the request being properly authenticated with the API token's associated permissions, Grafana incorrectly forwards the OAuth credentials of the most recently logged-in user. This effectively allows the API token holder to assume the identity of another user when accessing backend data sources.
Root Cause
The root cause lies in Grafana's OAuth identity forwarding mechanism not properly distinguishing between authenticated user sessions and API token-based requests. The system fails to validate whether an OAuth identity should be forwarded when the request originates from an API token rather than an interactive user session. This results in a token confusion state where API token requests inherit cached OAuth credentials from a previously authenticated user.
Attack Vector
The attack is network-based and requires low privileges (a valid API token). An attacker needs to:
- Obtain a valid Grafana API token (through legitimate means or compromise)
- Identify data sources with Forward OAuth Identity enabled
- Send queries using the API token to these data sources
- The query executes with the OAuth identity of the most recently logged-in user
The vulnerability does not require user interaction and can be exploited programmatically through the Grafana API.
Detection Methods for CVE-2022-21673
Indicators of Compromise
- Unusual data source queries originating from API token authentication where the authenticated OAuth user doesn't match expected API token ownership
- Audit logs showing API token-based requests accessing data typically restricted to specific OAuth users
- Unexpected data access patterns from service accounts or API integrations
Detection Strategies
- Review Grafana audit logs for API token usage patterns that access OAuth-protected data sources
- Monitor for queries to data sources with Forward OAuth Identity enabled that originate from API tokens rather than interactive sessions
- Implement alerting on data access anomalies where API tokens access resources outside their expected scope
Monitoring Recommendations
- Enable comprehensive audit logging in Grafana to track all data source queries
- Monitor authentication events and correlate API token usage with OAuth session activity
- Track data source access patterns to establish baselines and detect anomalous queries
- Review which data sources have Forward OAuth Identity enabled and assess the risk exposure
How to Mitigate CVE-2022-21673
Immediate Actions Required
- Upgrade Grafana to version 7.5.13 or later for the 7.x branch
- Upgrade Grafana to version 8.3.4 or later for the 8.x branch
- Review and audit all data sources with Forward OAuth Identity enabled
- Assess API token usage and revoke unnecessary or suspicious tokens
Patch Information
Grafana has released security patches addressing this vulnerability. Users should upgrade to the following versions:
- Grafana Release v7.5.13 for the 7.x series
- Grafana Release v8.3.4 for the 8.x series
Additional details are available in the GitHub Security Advisory GHSA-8wjh-59cw-9xh4. Fedora users should apply the latest package updates as referenced in the Fedora Package Announcement.
Workarounds
- Disable the Forward OAuth Identity feature on data sources where it is not strictly required
- Restrict API token creation and distribution to minimize the attack surface
- Implement network segmentation to limit API token access to Grafana instances
- Review and reduce API token permissions to the minimum necessary scope
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
