#ubuntu

Today we are releasing Grafana 9.1.6, 9.0.9, 8.5.13. This patch release includes a Moderate severity security fix for CVE-2022-35957 that affects Grafana instances which are using Grafana [Auth Proxy](https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/auth-proxy/#configure-auth-proxy-authentication). Release 9.1.6, latest patch, also containing security fix: - [Download Grafana 9.1.6](https://grafana.com/grafana/download/9.1.6) - [Release notes](https://grafana.com/docs/grafana/latest/release-notes/release-notes-9-1-6/) Release 9.0.9, only containing security fix: - [Download Grafana 9.0.9](https://grafana.com/grafana/download/9.0.9) - [Release notes](https://grafana.com/docs/grafana/latest/release-notes/release-notes-9-0-9/) Release 8.5.13, only containing security fix: - [Download Grafana 8.5.13](https://grafana.com/grafana/download/8.5.13) - [Release notes](https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-5-13...

Today we are releasing Grafana 9.2. Alongside with new features and other bug fixes, this release includes a Moderate severity security fix for CVE-2022-31130 We are also releasing security patches for Grafana 9.1.8 and Grafana 8.5.14 to fix these issues. Release 9.2, latest release, also containing security fix: - [Download Grafana 9.2](https://grafana.com/grafana/download/9.2) Release 9.1.8, only containing security fix: - [Download Grafana 9.1.8](https://grafana.com/grafana/download/9.1.8) Release 8.5.14, only containing security fix: - [Download Grafana 8.5.14](https://grafana.com/grafana/download/8.5.14) Appropriate patches have been applied to [Grafana Cloud](https://grafana.com/cloud) and as always, we closely coordinated with all cloud providers licensed to offer Grafana Pro. They have received early notification under embargo and confirmed that their offerings are secure at the time of this announcement. This is applicable to Amazon Managed Grafana and Azure's Grafana ...

Today we are releasing Grafana 9.2. Alongside with new features and other bug fixes, this release includes a Moderate severity security fix for CVE-2022-31123 We are also releasing security patches for Grafana 9.1.8 and Grafana 8.5.14 to fix these issues. Release 9.2, latest release, also containing security fix: - [Download Grafana 9.2](https://grafana.com/grafana/download/9.2) Release 9.1.8, only containing security fix: - [Download Grafana 9.1.8](https://grafana.com/grafana/download/9.1.8) Release 8.5.14, only containing security fix: - [Download Grafana 8.5.14](https://grafana.com/grafana/download/8.5.14) Appropriate patches have been applied to [Grafana Cloud](https://grafana.com/cloud) and as always, we closely coordinated with all cloud providers licensed to offer Grafana Pro. They have received early notification under embargo and confirmed that their offerings are secure at the time of this announcement. This is applicable to Amazon Managed Grafana and Azure's Grafana ...

Today we are releasing Grafana 8.3.10, 8.4.10, 8.5.9 and 9.0.3. This patch release includes a HIGH severity security fix for an Oauth takeover vulnerability in Grafana. Release v.9.0.3, containing this security fix and other patches: - [Download Grafana 9.0.3](https://grafana.com/grafana/download/9.0.3) - [Release notes](https://grafana.com/docs/grafana/next/release-notes/release-notes-9-0-3/) Release v.8.5.9, containing this security fix and other fixes: - [Download Grafana 8.5.9](https://grafana.com/grafana/download/8.5.9) - [Release notes](https://grafana.com/docs/grafana/next/release-notes/release-notes-8-5-9/) Release v.8.4.10, containing this security fix and other fixes: - [Download Grafana 8.4.10](https://grafana.com/grafana/download/8.4.10) - [Release notes](https://grafana.com/docs/grafana/next/release-notes/release-notes-8-4-10/) Release v.8.3.10, containing this security fix and other fixes: - [Download Grafana 8.3.10](https://grafana.com/grafana/download/8.3.10) #...

Today we are releasing Grafana 8.3.5 and 7.5.14. This patch release includes MEDIUM severity security fix for Grafana Teams API IDOR. Release v.8.3.5, only containing security fixes: - [Download Grafana 8.3.5](https://grafana.com/grafana/download/8.3.5) - [Release notes](https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-3-5/) Release v.7.5.15, only containing security fixes: - [Download Grafana 7.5.15](https://grafana.com/grafana/download/7.5.15) - [Release notes](https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-5-15/) ## Teams API IDOR([CVE-2022-21713](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21713)) On Jan. 18, an external security researcher, Kürşad ALSAN from [NSPECT.IO](https://www.nspect.io) ([@nspectio](https://twitter.com/nspectio) on Twitter), contacted Grafana to disclose an IDOR (Insecure Direct Object Reference) vulnerability on Grafana Teams APIs. We believe that this vulnerability is rated at CVSS 4.3 (CVSS:3....

Today we are releasing Grafana 8.3.10, 8.4.10, 8.5.9 and 9.0.3. This patch release includes a HIGH severity security fix for a stored Cross Site Scripting in Grafana. Release v.9.0.3, containing this security fix and other patches: - [Download Grafana 9.0.3](https://grafana.com/grafana/download/9.0.3) - [Release notes](https://grafana.com/docs/grafana/next/release-notes/release-notes-9-0-3/) Release v.8.5.9, containing this security fix and other fixes: - [Download Grafana 8.5.9](https://grafana.com/grafana/download/8.5.9) - [Release notes](https://grafana.com/docs/grafana/next/release-notes/release-notes-8-5-9/) Release v.8.4.10, containing this security fix and other fixes: - [Download Grafana 8.4.10](https://grafana.com/grafana/download/8.4.10) - [Release notes](https://grafana.com/docs/grafana/next/release-notes/release-notes-8-4-10/) Release v.8.3.10, containing this security fix and other fixes: - [Download Grafana 8.3.10](https://grafana.com/grafana/download/8.3.10) ## ...

Today we are releasing Grafana 8.3.5 and 7.5.15. This patch release includes MEDIUM severity security fix for XSS for Grafana. Release v.8.3.5, only containing security fixes: - [Download Grafana 8.3.5](https://grafana.com/grafana/download/8.3.5) - [Release notes](https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-3-5/) Release v.7.5.15, only containing security fixes: - [Download Grafana 7.5.15](https://grafana.com/grafana/download/7.5.15) - [Release notes](https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-5-15/) ## XSS ([CVE-2022-21702](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21702)) ### Summary On Jan. 16, an external security researcher, Jasu Viding contacted Grafana to disclose an XSS vulnerability in the way that Grafana handles data sources. An attacker could serve HTML content through the Grafana datasource or plugin proxy and trick a user to visit this HTML page using a specially crafted link and execute a Cross-si...

When a data source has the Forward OAuth Identity feature enabled, sending a query to that datasource with an API token (and no other user credentials) will forward the OAuth Identity of the most recently logged-in user. This can allow API token holders to retrieve data for which they may not have intended access. ### Impact All of the following must be true: * The Grafana instance has data sources that support the Forward OAuth Identity feature. Graphite users, for example. * Some data sources are not susceptible, like Prometheus, as they do not have support for this feature. * The option being available is not sufficient enough to determine if the data source is susceptible. * The Grafana instance has a data source with the Forward OAuth Identity feature toggled on. * The Grafana instance has OAuth enabled. * The Grafana instance has usable API keys. ### Patches The following Grafana versions have been patched: * `v8.3.4` * `v7.5.13` ### Workarounds Administrators of G...

Today we are releasing Grafana `8.3.2` and `7.5.12`. This patch release includes a moderate severity security fix for directory traversal for arbitrary `.csv` files. It only affects instances that have the developer testing tool called [TestData DB data source](https://grafana.com/docs/grafana/latest/datasources/testdata/) enabled and configured. The vulnerability is limited in scope, and only allows access to files with the extension `.csv` to **authenticated users only.** This is a follow-up patch release to our recent [CVE-2021-43798](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43798) release. If you haven’t read about that high severity security fix, we recommend that you review the [initial blog post](https://grafana.com/blog/2021/12/07/grafana-8.3.1-8.2.7-8.1.8-and-8.0.7-released-with-high-severity-security-fix/), along with our [update on the 0day](https://grafana.com/blog/2021/12/08/an-update-on-0day-cve-2021-43798-grafana-directory-traversal/). Given the attenti...

### Impact On Nov. 2, during an internal security audit, we discovered that when the fine-grained access control beta feature is enabled and there is more than one organization in the Grafana instance, Grafana 8.0 introduced a mechanism which allowed users with the Organization Admin role to list, add, remove, and update users’ roles in other organizations in which they are not an admin. ### Patches Fixed in 8.2.4 ### Workarounds All installations between v8.0 and v8.2.3 that have fine-grained access control beta enabled and more than one organization should be upgraded as soon as possible. If you cannot upgrade, you should turn off the fine-grained access control using a [feature flag](https://grafana.com/docs/grafana/latest/enterprise/access-control/#enable-fine-grained-access-control/). Grafana Cloud instances have not been affected by the vulnerability. ### Reporting security issues If you think you have found a security vulnerability, please send a report to security@grafana.c...