This flaw affects Grafana Alerting (previously referred to as Unified Alerting when it was introduced in Grafana 8.0). Grafana Alerting is activated by default in Grafana 9.0.
Details about the issue started to become public in July when Grafana Labs rolled out updates for affected versions 8.0.0- through 9.0.1.
“On Nov. 25, a Grafana community member reported a stored XSS vulnerability in Grafana Alerting. On further investigation, this vulnerability is a regression of CVE-2022-31097. As this issue was raised in our public repositories, we are treating this as a 0-day and are immediately releasing patches to the public,” read the Granfana security bulletin.
An attacker can exploit CVE-2022-31097 to escalate privilege from editor to admin by tricking an authenticated admin to click on a link.
An attacker can exploit this vulnerability in Grafana Alerting to escalate privilege from Editor to Admin by tricking an authenticated admin to click on a link.
9.1.0-beta1 -> 9.3.0-beta1
See the original vulnerability for the original versions that were impacted.
Solutions and mitigations
To fully address CVE-2022-31097, please upgrade your Grafana instances. Appropriate patches have been applied to Grafana Cloud.
As a workaround, Grafana Alerting may be disabled or users may switch to legacy alerting.
*Beware click the link!