CVE-2022-24812 in Grafana
Summary
by MITRE • 04/12/2022
Grafana is an open-source platform for monitoring and observability. When fine-grained access control is enabled and a client uses Grafana API Key to make requests, the permissions for that API Key are cached for 30 seconds for the given organization. Because of the way the cache ID is constructed, the consequent requests with any API Key evaluate to the same permissions as the previous requests. This can lead to an escalation of privileges, when for example a first request is made with Admin permissions, and the second request with different API Key is made with Viewer permissions, the second request will get the cached permissions from the previous Admin, essentially accessing higher privilege than it should. The vulnerability is only impacting Grafana Enterprise when the fine-grained access control beta feature is enabled and there are more than one API Keys in one organization with different roles assigned. All installations after Grafana Enterprise v8.1.0-beta1 should be upgraded as soon as possible. As an alternative, disable fine-grained access control will mitigate the vulnerability.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 04/18/2022
The vulnerability identified as CVE-2022-24812 represents a critical privilege escalation flaw within Grafana Enterprise's access control mechanisms. This issue specifically manifests when fine-grained access control is enabled, creating a scenario where API key permissions are incorrectly cached and subsequently reused across different authentication contexts. The vulnerability stems from improper cache identification logic that fails to properly distinguish between different API keys within the same organization, leading to a dangerous overlap in permission evaluation.
The technical implementation of this flaw occurs through the cache ID construction mechanism which does not adequately incorporate unique identifiers for individual API keys. When a client makes an API request using an API key, the system caches the associated permissions for a 30-second window to improve performance. However, due to the flawed cache key generation, any subsequent request within this window regardless of which API key is used will retrieve the cached permissions from the most recent request rather than evaluating the specific permissions assigned to the current key. This creates a scenario where a low-privilege API key can temporarily inherit the permissions of a high-privilege key that was previously used within the cache window.
The operational impact of this vulnerability extends beyond simple permission confusion, creating a potential pathway for privilege escalation attacks that could compromise the entire Grafana organization. When an administrator makes a request using an API key with administrative privileges, the cache captures these elevated permissions. Subsequent requests made with different API keys that should only have viewer or editor permissions will incorrectly receive the cached administrative access, effectively bypassing the intended access control boundaries. This vulnerability is particularly dangerous because it operates silently without generating explicit error messages or audit trail indicators, making detection challenging for security monitoring systems.
This vulnerability aligns with CWE-284 Access Control Issues, specifically addressing improper access control through flawed permission caching mechanisms. The flaw also maps to ATT&CK technique T1078 Valid Accounts, as it enables unauthorized access to elevated privileges through legitimate API keys, and T1548 Abuse of Cloud Resources, since it allows for privilege escalation within cloud-based monitoring platforms. Organizations utilizing Grafana Enterprise with fine-grained access control enabled face significant risk of unauthorized data access, configuration changes, and potential lateral movement within their monitoring infrastructure.
The vulnerability affects all Grafana Enterprise installations from version 8.1.0-beta1 onwards where fine-grained access control is enabled, and multiple API keys exist within the same organization with different assigned roles. The 30-second cache window provides a narrow but sufficient timeframe for exploitation, particularly in high-traffic environments where multiple API requests are processed rapidly. The recommended remediation strategy involves upgrading to the latest Grafana Enterprise version that addresses this caching mechanism, as the vulnerability is not present in earlier versions or when fine-grained access control is disabled. Organizations without immediate upgrade capabilities should disable fine-grained access control as a temporary mitigation measure to prevent exploitation while planning for proper system updates.