CVE-2022-31107 Overview
CVE-2022-31107 is an authorization bypass vulnerability in Grafana, an open-source platform for monitoring and observability. This vulnerability allows a malicious user who has authorization to log into a Grafana instance via a configured OAuth Identity Provider (IdP) to take over the account of another user in that Grafana instance. The attack exploits a flaw in how external and internal user accounts are linked together during the OAuth login process.
Critical Impact
Successful exploitation allows complete account takeover of any Grafana user, enabling attackers to access sensitive monitoring data, dashboards, and potentially make unauthorized configuration changes to the monitoring infrastructure.
Affected Products
- Grafana versions 5.3 through 9.0.2
- Grafana versions 8.5.0 through 8.5.8
- Grafana versions 8.4.0 through 8.4.9
- Grafana versions 8.3.0 through 8.3.9
- NetApp E-Series Performance Analyzer
Discovery Timeline
- July 15, 2022 - CVE-2022-31107 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2022-31107
Vulnerability Analysis
This vulnerability represents an authorization bypass (CWE-863) in Grafana's OAuth authentication flow. The flaw exists in the account linking mechanism that occurs when users authenticate via external OAuth providers. During the login process, Grafana attempts to associate external OAuth identities with internal user accounts, but this linking process contains a logic flaw that can be exploited under specific conditions.
The vulnerability requires a network-based attack with low privileges (authenticated OAuth access) but high complexity due to the prerequisite conditions. When successfully exploited, it results in complete compromise of the target user's account with full access to their data and permissions within the Grafana instance.
Root Cause
The root cause lies in Grafana's user account linking logic during OAuth authentication. When a user authenticates via OAuth, Grafana performs a lookup to associate the external identity with an existing internal account. The vulnerability occurs because the linking mechanism improperly handles cases where:
- The attacker's external user ID is not already associated with a Grafana account
- The attacker's email address is not already associated with a Grafana account
- The attacker sets their OAuth provider username to match an existing Grafana username
Under these conditions, Grafana incorrectly links the attacker's OAuth session to the victim's internal account based on username matching rather than proper identity verification.
Attack Vector
The attack requires network access and follows this exploitation path:
- The attacker must have legitimate authorization to log into the target Grafana instance via a configured OAuth provider
- The attacker identifies the Grafana username of the target user they wish to impersonate
- The attacker modifies their username in the OAuth provider to match the target user's Grafana username
- The attacker initiates the OAuth login flow to the Grafana instance
- Due to the flawed linking logic, Grafana associates the attacker's OAuth session with the victim's account
- The attacker gains full access to the victim's Grafana account
The attack exploits the trust relationship between Grafana and the OAuth provider, leveraging the username as an insecure identifier for account linking. Organizations with multiple users authorized via OAuth are particularly at risk, as any authorized OAuth user could potentially target other users within the same instance.
Detection Methods for CVE-2022-31107
Indicators of Compromise
- Multiple OAuth login attempts from different external user IDs linking to the same internal Grafana account
- Sudden changes in OAuth provider usernames that match existing Grafana user accounts
- Unexpected account activity or dashboard access from unfamiliar OAuth sessions
- Authentication logs showing OAuth logins from users who already have linked accounts via different methods
Detection Strategies
- Monitor Grafana audit logs for OAuth authentication events, particularly account linking activities
- Implement alerting for scenarios where an OAuth session links to an account that was previously accessed by a different authentication method
- Review OAuth provider logs for username changes preceding Grafana authentication attempts
- Cross-reference Grafana access logs with expected user behavior patterns to identify anomalous activity
Monitoring Recommendations
- Enable detailed authentication logging in Grafana configuration
- Implement centralized log collection for both Grafana and OAuth provider authentication events
- Configure SIEM rules to detect account linking anomalies and multiple identity associations
- Establish baseline user behavior profiles to identify suspicious account access patterns
How to Mitigate CVE-2022-31107
Immediate Actions Required
- Upgrade Grafana to patched versions: 9.0.3, 8.5.9, 8.4.10, or 8.3.10
- Audit all user accounts for unexpected OAuth associations or recent linking activity
- Review authentication logs for any signs of exploitation prior to patching
- Consider temporarily disabling OAuth authentication until patches are applied if immediate upgrade is not possible
Patch Information
Grafana has released security patches addressing this vulnerability in the following versions:
- Grafana 9.0.3 - Grafana Release Notes 9.0.3
- Grafana 8.5.9 - Grafana Release Notes 8.5.9
- Grafana 8.4.10 - Grafana Release Notes 8.4.10
- Grafana 8.3.10
For additional technical details, refer to the GitHub Security Advisory GHSA-mx47-6497-3fv2. NetApp customers should also review the NetApp Security Advisory NTAP-20220901-0010.
Workarounds
- Disable OAuth login entirely to the Grafana instance if patching is not immediately feasible
- Ensure all users authorized to log in via OAuth have a corresponding pre-existing user account in Grafana linked to their email address before OAuth authentication occurs
- Implement strict access controls on OAuth provider user profile modifications, particularly username changes
- Use email-based account linking exclusively rather than username-based association where possible
# Configuration example - Disable OAuth in grafana.ini
[auth.generic_oauth]
enabled = false
[auth.github]
enabled = false
[auth.google]
enabled = false
[auth.azuread]
enabled = false
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
