Skip to content

Grafana Image Renderer leaking files

High
vtorosyan published GHSA-2cfh-233g-m4c5 Aug 30, 2022

Package

https://github.com/grafana/grafana-image-renderer (Grafana)

Affected versions

<= 3.5.0

Patched versions

3.6.1

Description

Today we are releasing Grafana 9.1.2, 9.0.8, 8.5.11, 8.4.11, 8.3.11 and Grafana Image Renderer 3.6.1. This patch release includes a HIGH severity security fix for CVE-2022-31176 that affects Grafana instances which are using Grafana Image Renderer plugin.

Grafana Imager Renderer release, also containing security fix:

Release 9.1.2, latest patch, also containing security fix:

Release 9.0.8, latest patch, also containing security fix:

Release v8.5.11, only containing security fix:

Release v8.4.11, only containing security fix:

Release v8.3.11, only containing security fix:

Appropriate patches have been applied to Grafana Cloud and as always, we closely coordinated with all cloud providers licensed to offer Grafana Pro. They have received early notification under embargo and confirmed that their offerings are secure at the time of this announcement. This is also applicable to Amazon Managed Grafana.

Unauthorized file disclosure (CVE-2022-31176)

Summary

On July 21 an internal security review identified an unauthorized file disclosure vulnerability in the Grafana Image Renderer plugin when HTTP remote rendering is used.
The Chromium browser embedded in the Grafana image renderer allows for ‘printing’ of unauthorized files in a PNG file. This makes it possible for a malicious user to retrieve unauthorized files under some network conditions or via a fake datasource (if the user has admin permissions in Grafana). This vulnerability permits unauthorized file disclosure and is a potential DoS vector through targeting of extremely large files.
The CVSS score for this vulnerability is 8.3 High (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H) for Grafana instances using Grafana Image Renderer plugin with HTTP remote rendering.

Impacted versions

All Grafana installations with the Grafana Image Renderer plugin used with HTTP remote rendering are affected by this vulnerability.

Solutions and mitigations

All Grafana installations and the Grafana Image Renderer plugin should be upgraded as soon as possible by following all the steps below. They are only required if you are using the Image Renderer plugin with HTTP remote rendering.

  • Upgrade your Grafana instance
  • Upgrade your Image Renderer docker image with the Docker image grafana/grafana-image-renderer:3.6.1
  • In the rendering section of Grafana configuration file, define a strong secret in renderer_token
  • Configure the same secret for the Image Renderer either via an environment variable called AUTH_TOKEN or by adding auth_token config key in the [plugin.grafana-image-renderer] section of Grafana config.
  • Restart your Grafana instance
  • Restart your Image Renderer docker image

If you can’t upgrade, as a workaround it is possible to disable HTTP remote rendering, or stop using Grafana Image Renderer plugin entirely.

Appropriate patches have been applied to Grafana Cloud.

Timeline

Here is a detailed timeline starting from when we originally learned of the issue.

  • 2022-07-21: Internal security researcher discovers the vulnerability and creates the initial report.
  • 2022-07-21: The vulnerability is confirmed.
  • 2022-07-22: Temporary mitigation is applied to Grafana Cloud.
  • 2022-07-22: Root cause is determined and started working on a fix.
  • 2022-08-11: Security fix determined and root cause mitigated.
  • 2022-08-11: Release timeline determined: 2022-08-17 for private customer release, 2022-08-30 for public release.
  • 2022-08-17: Private release.
  • 2022-08-30: Public release.

Reporting security issues

If you think you have found a security vulnerability, please send a report to [email protected]. This address can be used for all of Grafana Labs' open source and commercial products (including, but not limited to Grafana, Grafana Cloud, Grafana Enterprise, and grafana.com). We can accept only vulnerability reports at this address. We would prefer that you encrypt your message to us by using our PGP key. The key fingerprint is

F988 7BEA 027A 049F AE8E 5CAA D125 8932 BE24 C5CA

The key is available from keyserver.ubuntu.com.

Security announcements

We maintain a security category on our blog, where we will always post a summary, remediation, and mitigation details for any patch containing security fixes.

You can also subscribe to our RSS feed.

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H

CVE ID

CVE-2022-31176

Weaknesses