CVE-2022-23552 Overview
CVE-2022-23552 is a stored Cross-Site Scripting (XSS) vulnerability affecting Grafana, the popular open-source platform for monitoring and observability. The vulnerability exists in the core GeoMap plugin and allows attackers to execute arbitrary JavaScript in the context of authenticated users by exploiting improper SVG file sanitization.
Critical Impact
An attacker with Editor role privileges can achieve vertical privilege escalation by injecting malicious JavaScript through unsanitized SVG files, potentially compromising accounts with Admin role privileges when they view a malicious dashboard.
Affected Products
- Grafana versions 8.1 through 8.5.15
- Grafana versions 9.0.0 through 9.2.9
- Grafana versions 9.3.0 through 9.3.3
Discovery Timeline
- 2023-01-27 - CVE-2022-23552 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-23552
Vulnerability Analysis
This stored XSS vulnerability arises from Grafana's failure to properly sanitize SVG files loaded into the GeoMap plugin. SVG files can contain embedded JavaScript code within tags such as <script> elements or event handlers like onload, which execute when the browser renders the SVG content. Because the GeoMap panel component did not apply proper sanitization before rendering SVG content, malicious scripts embedded within these files were executed in the browser context of any user viewing the affected dashboard.
The vulnerability is particularly dangerous because it enables vertical privilege escalation. An attacker with the lower-privileged Editor role can craft a malicious dashboard panel that, when viewed by an Admin user, executes JavaScript capable of performing administrative actions or exfiltrating session credentials.
Root Cause
The root cause of CVE-2022-23552 is the absence of a sanitization step when processing SVG content in Grafana's rendering pipeline. The application accepted SVG files from external URLs or inline data: scheme URIs without filtering out potentially dangerous elements like embedded scripts or event handlers. This oversight allowed arbitrary JavaScript execution when the SVG was rendered in a user's browser session.
Attack Vector
An attacker requires the Editor role within a Grafana instance to exploit this vulnerability. The attack proceeds as follows:
- The attacker creates or modifies a GeoMap panel configuration
- The panel is configured to load an SVG file containing malicious JavaScript, either via an external URL pointing to an attacker-controlled server or through an inline data: URI
- When a privileged user (such as an Admin) views the dashboard containing the malicious panel, the embedded JavaScript executes in their browser context
- The malicious script can then perform actions with the victim's privileges, such as changing passwords, creating new admin accounts, or exfiltrating sensitive data
// Security patch adding DOMPurify sanitization (SanitizedSVG.tsx)
+import * as DOMPurify from 'dompurify';
+import React from 'react';
+import SVG, { Props } from 'react-inlinesvg';
+
+export const SanitizedSVG = (props: Props) => {
+ return <SVG {...props} cacheRequests={true} preProcessor={getCleanSVG} />;
+};
+
+let cache = new Map<string, string>();
+
+function getCleanSVG(code: string): string {
+ let clean = cache.get(code);
+ if (!clean) {
+ clean = DOMPurify.sanitize(code, { USE_PROFILES: { svg: true, svgFilters: true } });
+ cache.set(code, clean);
+ }
+ return clean;
+}
Source: Grafana Commit
Detection Methods for CVE-2022-23552
Indicators of Compromise
- Dashboard configurations containing GeoMap panels with external SVG URLs pointing to untrusted domains
- GeoMap panel configurations using data: scheme URIs containing base64-encoded or inline SVG content
- Grafana access logs showing requests to external SVG resources from the GeoMap plugin
- Unusual administrative actions occurring shortly after dashboard views by privileged users
Detection Strategies
- Review Grafana dashboard JSON configurations for GeoMap panels referencing external URLs or data: scheme SVG content
- Monitor Grafana audit logs for Editor-role users creating or modifying GeoMap panels with suspicious SVG sources
- Implement Content Security Policy (CSP) headers to restrict script execution sources
- Use web application firewalls to detect and block requests containing inline SVG payloads with script elements
Monitoring Recommendations
- Enable and centralize Grafana access and audit logs for security monitoring
- Alert on dashboard modifications by Editor-role users that include external URL references
- Monitor for network connections from Grafana servers to unexpected external domains
- Implement browser-based XSS detection mechanisms for users accessing Grafana dashboards
How to Mitigate CVE-2022-23552
Immediate Actions Required
- Upgrade Grafana to version 8.5.16, 9.2.10, or 9.3.4 or later immediately
- Audit existing dashboards for GeoMap panels containing external SVG URLs or inline SVG content
- Review recent dashboard modifications made by users with Editor role for suspicious changes
- Consider temporarily restricting Editor role access until patching is complete
Patch Information
Grafana has released security patches that introduce DOMPurify-based sanitization for all SVG content. The fix adds a preprocessing step that strips potentially dangerous elements from SVG files before rendering. The patches are available in versions 8.5.16, 9.2.10, and 9.3.4. Organizations should upgrade to these versions or later as soon as possible.
For detailed patch information, refer to the Grafana Security Advisory and the official pull request.
Workarounds
- Restrict the Editor role to trusted users only until patches can be applied
- Implement a Content Security Policy that blocks inline script execution and limits script sources
- Use a reverse proxy or WAF to filter requests containing data: scheme SVG content
- Disable or remove the GeoMap plugin if it is not required in your environment
# Example: Review Grafana dashboards for potentially malicious SVG references
grep -r "geomap" /var/lib/grafana/dashboards/ | grep -E "(http://|https://|data:)"
# Check Grafana version to determine if upgrade is needed
grafana-cli --version
# Upgrade Grafana (Debian/Ubuntu)
sudo apt-get update && sudo apt-get install grafana=9.3.4
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
