CVE-2022-31097 Overview
CVE-2022-31097 is a stored cross-site scripting (XSS) vulnerability affecting Grafana, an open-source platform widely used for monitoring and observability. The vulnerability exists within the Unified Alerting feature and allows authenticated users with editor-level privileges to inject malicious scripts that persist in the application. When an administrator views the affected content, the malicious script executes in their browser context, potentially allowing the attacker to escalate privileges from editor to admin.
Critical Impact
This stored XSS vulnerability enables privilege escalation from editor to administrator by tricking authenticated admins into clicking malicious links, potentially compromising the entire Grafana deployment and all connected data sources.
Affected Products
- Grafana versions 8.x prior to 8.3.10, 8.4.10, and 8.5.9
- Grafana versions 9.x prior to 9.0.3
- NetApp E-Series Performance Analyzer
Discovery Timeline
- July 15, 2022 - CVE-2022-31097 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2022-31097
Vulnerability Analysis
This stored cross-site scripting vulnerability resides in Grafana's Unified Alerting feature. Unlike reflected XSS attacks that require victims to click a specially crafted link each time, stored XSS persists the malicious payload within the application itself. In this case, an attacker with editor-level access can inject malicious JavaScript code through the alerting configuration interface.
The attack requires low complexity to execute but does need user interaction—specifically, an authenticated administrator must view the page containing the injected script. When triggered, the malicious code executes with the administrator's session context, enabling the attacker to perform actions as that administrator, including modifying user permissions, accessing sensitive data sources, or creating backdoor accounts.
The scope of this vulnerability extends beyond the initial target, as the changed scope indicator means that successful exploitation can affect resources beyond the vulnerable component's security authority. This could include accessing dashboards, data sources, and organizational settings that the original editor account should not have access to.
Root Cause
The root cause of CVE-2022-31097 is improper input sanitization within the Unified Alerting feature (CWE-79). The application fails to adequately validate and encode user-supplied input before storing it in the database and rendering it back to users. This allows script tags and JavaScript event handlers to be stored and later executed when the content is displayed to other users, particularly administrators viewing alerting configurations.
Attack Vector
The attack is network-based and requires an authenticated user with at least editor privileges. The attacker crafts a malicious alert rule or notification that contains embedded JavaScript code. This payload is stored in the Grafana database. When an administrator navigates to the alerting section and views the attacker-created content, the browser executes the injected script in the context of the administrator's authenticated session.
The vulnerability leverages the trust relationship between authenticated users and the application's alerting feature. Since the malicious content appears to originate from a legitimate Grafana feature, administrators may not recognize the threat before the script executes. The injected JavaScript can then access session tokens, make API calls to modify user roles, or exfiltrate sensitive configuration data.
Detection Methods for CVE-2022-31097
Indicators of Compromise
- Unexpected JavaScript or HTML tags appearing in Grafana alert rule names, annotations, or notification templates
- Unusual administrative actions in Grafana audit logs, particularly role changes for editor accounts
- Browser console errors or unexpected network requests when viewing alerting configurations
- Editor accounts suddenly gaining administrator privileges without legitimate authorization
Detection Strategies
- Monitor Grafana audit logs for privilege escalation events, particularly changes from editor to admin roles
- Implement web application firewall (WAF) rules to detect XSS payloads in HTTP requests to Grafana alerting endpoints
- Deploy Content Security Policy (CSP) headers to restrict inline script execution and report violations
- Review alerting configurations for suspicious content containing <script> tags, event handlers, or JavaScript URIs
Monitoring Recommendations
- Enable and centralize Grafana server logs and audit logs for security analysis
- Configure alerting on unusual API activity patterns, especially bulk permission modifications
- Monitor for anomalous session behavior such as administrators performing actions from unexpected IP addresses
- Implement regular reviews of user role assignments and alerting configurations
How to Mitigate CVE-2022-31097
Immediate Actions Required
- Upgrade Grafana immediately to patched versions: 9.0.3, 8.5.9, 8.4.10, or 8.3.10
- Audit all existing alert rules and notification configurations for potentially malicious content
- Review recent privilege changes and revert any unauthorized role escalations
- Restrict editor access to the Unified Alerting feature until patching is complete
Patch Information
Grafana has released security patches addressing this vulnerability. Organizations should upgrade to the following versions based on their current deployment:
- For Grafana 9.x deployments: Upgrade to version 9.0.3 or later. See Grafana Release Notes 9.0.3 for details.
- For Grafana 8.5.x deployments: Upgrade to version 8.5.9 or later. See Grafana Release Notes 8.5.9 for details.
- For Grafana 8.4.x deployments: Upgrade to version 8.4.10 or later. See Grafana Release Notes 8.4.10 for details.
- For Grafana 8.3.x deployments: Upgrade to version 8.3.10 or later.
NetApp E-Series Performance Analyzer users should consult the NetApp Security Advisory ntap-20220901-0010 for specific guidance.
Additional technical details are available in the GitHub Security Advisory GHSA-vw7q-p2qg-4m5f.
Workarounds
- Disable Unified Alerting entirely if immediate patching is not feasible by setting [unified_alerting]enabled = false in the Grafana configuration
- Revert to legacy alerting by enabling [alerting]enabled = true in grafana.ini
- Implement strict access controls to limit which users have editor privileges
- Deploy a web application firewall with XSS detection rules in front of Grafana instances
# Configuration example - Disable Unified Alerting and enable legacy alerting
# Edit grafana.ini or custom.ini
[unified_alerting]
enabled = false
[alerting]
enabled = true
# Restart Grafana service after configuration changes
sudo systemctl restart grafana-server
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
