CVE-2022-21702 in Grafana
Summary
by MITRE • 02/08/2022
Grafana is an open-source platform for monitoring and observability. In affected versions an attacker could serve HTML content thru the Grafana datasource or plugin proxy and trick a user to visit this HTML page using a specially crafted link and execute a Cross-site Scripting (XSS) attack. The attacker could either compromise an existing datasource for a specific Grafana instance or either set up its own public service and instruct anyone to set it up in their Grafana instance. To be impacted, all of the following must be applicable. For the data source proxy: A Grafana HTTP-based datasource configured with Server as Access Mode and a URL set, the attacker has to be in control of the HTTP server serving the URL of above datasource, and a specially crafted link pointing at the attacker controlled data source must be clicked on by an authenticated user. For the plugin proxy: A Grafana HTTP-based app plugin configured and enabled with a URL set, the attacker has to be in control of the HTTP server serving the URL of above app, and a specially crafted link pointing at the attacker controlled plugin must be clocked on by an authenticated user. For the backend plugin resource: An attacker must be able to navigate an authenticated user to a compromised plugin through a crafted link. Users are advised to update to a patched version. There are no known workarounds for this vulnerability.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 09/05/2025
CVE-2022-21702 represents a critical cross-site scripting vulnerability affecting Grafana versions prior to 9.1.1 and 8.5.12. This vulnerability stems from improper input validation within Grafana's proxy mechanisms that handle HTTP-based data sources and plugin configurations. The flaw exists in the way Grafana processes and renders content from external HTTP servers when these are configured as data sources or plugins, creating an attack surface where malicious actors can inject arbitrary HTML content that executes in the context of authenticated users' browsers.
The technical implementation of this vulnerability occurs through Grafana's proxy functionality that allows users to configure HTTP-based data sources with server access mode or HTTP-based app plugins. When an attacker controls the HTTP server hosting the configured URL, they can serve malicious HTML content that gets rendered directly within Grafana's interface. The attack requires a specific combination of conditions to be successful: the target must have a configured HTTP data source or plugin with server access mode, the attacker must control the HTTP server serving that URL, and a user must click on a crafted link that directs them to the malicious endpoint. This attack vector aligns with CWE-79 Cross-site Scripting and follows the ATT&CK technique T1566.001 Phishing via Service, where the malicious payload is delivered through compromised proxy endpoints.
The operational impact of this vulnerability is severe as it allows attackers to execute arbitrary JavaScript code in the context of authenticated Grafana sessions. This means that attackers can potentially access sensitive monitoring data, manipulate dashboards, create or modify users, and even escalate privileges within the Grafana instance. The vulnerability affects both data source proxies and plugin proxies, providing multiple attack vectors for threat actors. The attack requires user interaction through a specially crafted link, but once executed, it can lead to complete compromise of the Grafana instance and potentially the underlying monitoring infrastructure. The vulnerability affects organizations that rely heavily on Grafana for monitoring and observability, as it can provide attackers with persistent access to critical infrastructure monitoring data.
Organizations should immediately update to Grafana versions 9.1.1 or 8.5.12 to mitigate this vulnerability, as no effective workarounds exist for this particular flaw. The patch addresses the core issue by implementing proper HTML sanitization and input validation in the proxy handling code. Security teams should also review all configured HTTP data sources and plugins to ensure no unauthorized or untrusted endpoints are configured with server access mode. Additionally, organizations should implement network-level controls to restrict outbound connections from Grafana instances to external servers, particularly those that are not required for normal operations. The vulnerability demonstrates the importance of validating and sanitizing all external content before rendering it within web applications, especially in monitoring platforms where users frequently interact with data from multiple sources. This incident highlights the need for comprehensive security testing of proxy mechanisms and the importance of maintaining current software versions to protect against known vulnerabilities.