CVE-2022-21702 Overview
CVE-2022-21702 is a Cross-Site Scripting (XSS) vulnerability affecting Grafana, the widely-deployed open-source platform for monitoring and observability. This vulnerability allows an attacker to serve malicious HTML content through the Grafana datasource or plugin proxy mechanisms, potentially executing arbitrary JavaScript in the context of an authenticated user's browser session.
The attack requires social engineering to convince users to click specially crafted links that point to attacker-controlled resources configured within Grafana. This can be achieved by either compromising an existing datasource for a specific Grafana instance or by instructing users to configure malicious public services as datasources or plugins.
Critical Impact
Authenticated users who click malicious links may have their sessions compromised, potentially allowing attackers to perform actions on their behalf within Grafana, including accessing sensitive monitoring data and modifying dashboard configurations.
Affected Products
- Grafana Grafana (versions prior to 7.5.15 and 8.3.5)
- NetApp E-Series Performance Analyzer
- Fedora 34, 35, and 36
Discovery Timeline
- February 8, 2022 - CVE-2022-21702 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2022-21702
Vulnerability Analysis
This XSS vulnerability exists in Grafana's proxy mechanisms that forward requests to configured datasources and plugins. The core issue stems from insufficient sanitization of HTTP response headers when proxying content from external sources. When Grafana proxies responses from datasources or plugins configured with "Server" access mode, it fails to properly set security headers that would prevent the browser from interpreting the proxied content as HTML.
The vulnerability can be exploited through three distinct attack vectors:
Datasource Proxy: When an HTTP-based datasource is configured with Server access mode, an attacker controlling the datasource URL can serve malicious HTML content.
Plugin Proxy: Similar to the datasource proxy, HTTP-based app plugins with configured URLs can be exploited if the attacker controls the backend server.
Backend Plugin Resource: Compromised plugins can serve malicious content directly through backend plugin resource endpoints.
Root Cause
The root cause of CVE-2022-21702 lies in the absence of proper response header sanitization in Grafana's reverse proxy implementation. The proxy code failed to set appropriate Content-Security-Policy, X-Content-Type-Options, and related headers on proxied responses, allowing browsers to render potentially malicious HTML content served through the proxy endpoints.
Attack Vector
The attack is network-based and requires user interaction. An attacker must:
- Control an HTTP server that Grafana is configured to proxy to (either by compromising an existing datasource or by convincing an administrator to add a malicious one)
- Craft a URL pointing to the attacker-controlled datasource/plugin through Grafana's proxy
- Trick an authenticated Grafana user into clicking the malicious link
When the victim clicks the link, the malicious HTML/JavaScript served by the attacker's server executes in the context of Grafana's origin, giving the attacker access to the user's session and any actions they can perform.
// Security patch in pkg/api/pluginproxy/ds_proxy.go
// Source: https://github.com/grafana/grafana/commit/27726868b3d7c613844b55cd209ca93645c99b85
return nil, err
}
res.Header.Del("Set-Cookie")
+proxyutil.SetProxyResponseHeaders(res.Header)
return res, nil
}
The patch adds a call to SetProxyResponseHeaders which sets appropriate security headers on proxied responses to prevent XSS attacks.
// Security patch in pkg/api/pluginproxy/pluginproxy.go
// Source: https://github.com/grafana/grafana/commit/27726868b3d7c613844b55cd209ca93645c99b85
}
}
-return &httputil.ReverseProxy{Director: director}
+return &httputil.ReverseProxy{Director: director, ModifyResponse: modifyResponse}
+}
+
+func modifyResponse(resp *http.Response) error {
+ proxyutil.SetProxyResponseHeaders(resp.Header)
+
+ return nil
}
This patch adds a ModifyResponse function to the reverse proxy that ensures all proxied responses have proper security headers applied before being returned to the client.
Detection Methods for CVE-2022-21702
Indicators of Compromise
- Unusual HTTP requests to Grafana proxy endpoints (/api/datasources/proxy/* or /api/plugin-proxy/*) with HTML content types in responses
- Access logs showing authenticated users accessing datasource proxy URLs with suspicious or unfamiliar external datasource configurations
- Browser console errors or CSP violations in Grafana user sessions indicating attempted script injection
Detection Strategies
- Monitor Grafana access logs for requests to proxy endpoints that return Content-Type: text/html responses
- Implement network monitoring to detect outbound connections from Grafana servers to unexpected or newly-configured external endpoints
- Review Grafana datasource and plugin configurations for unauthorized or suspicious additions
- Deploy web application firewalls (WAF) with rules to detect XSS payloads in proxied responses
Monitoring Recommendations
- Enable verbose logging on Grafana servers and forward logs to a SIEM for correlation and analysis
- Set up alerts for new datasource or plugin configurations, especially those with Server access mode
- Monitor for unusual user activity patterns that might indicate session compromise, such as bulk data exports or permission changes
- Implement Content Security Policy reporting to detect attempted XSS exploitation
How to Mitigate CVE-2022-21702
Immediate Actions Required
- Upgrade Grafana to version 7.5.15 or 8.3.5 or later immediately
- Audit all configured datasources and plugins to identify any potentially malicious or compromised external endpoints
- Review Grafana access logs for any evidence of exploitation attempts
- Educate users about the risks of clicking untrusted links, even if they appear to point to internal Grafana instances
Patch Information
Grafana has released patched versions that address this vulnerability by implementing proper security header handling in the proxy code. The fix is available in:
- Grafana 7.5.15 for the 7.x branch
- Grafana 8.3.5 for the 8.x branch
The security patch (commit 27726868b3d7c613844b55cd209ca93645c99b85) adds the SetProxyResponseHeaders function call to both the datasource proxy and plugin proxy code paths, ensuring that appropriate security headers are set on all proxied responses.
For detailed information, refer to the GitHub Security Advisory GHSA-xc3p-28hw-q24g and the Grafana Blog Release Announcement.
Workarounds
- There are no known workarounds for this vulnerability; upgrading to patched versions is the only recommended remediation
- As a defense-in-depth measure, restrict which users can configure datasources and plugins to trusted administrators only
- Consider implementing network-level restrictions to limit which external hosts Grafana can proxy to
- Enable strict Content Security Policy headers at the web server level if possible, though this may interfere with Grafana functionality
# Configuration example
# Verify your Grafana version
grafana-cli --version
# Upgrade Grafana on Debian/Ubuntu
sudo apt-get update
sudo apt-get install grafana
# Upgrade Grafana on RHEL/CentOS
sudo yum update grafana
# Restart Grafana service after upgrade
sudo systemctl restart grafana-server
# Verify the new version is running
grafana-cli --version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
