If your organization is unable to apply the fix quickly, it is recommended to disable HTTP remote rendering by setting `render_enabled_media_types` to `'none'` in your grafana.ini. This will prevent unauthorized file disclosure vulnerability and render panels & dashboards locally only. If this is not possible, it is recommended to only view dashboards, which are also restricted to viewing API keys. ## Vulnerability # Exploitation You can retrieve unauthorized files under some network conditions or via a fake datasapermissions (if user has admin permissions in Grafana). You can retrieve unauthorized files under some network conditions or via a fake datasapermissions (if user has admin permissions in Grafana). ## Mitigation As a workaround it is possible to disable HTTP remote rendering by setting `render_enabled_media_types` to `'none'` in your grafana.ini. This will prevent unauthorized file disclosure vulnerability and render panels & dashboards locally only. If this is not possible, it is recommended to only view dashboards, which are also restricted to viewing API keys.
Vulnerability Summary
1. The remote rendering functionality of Grafana allows unauthorized files disclosure when HTTP remote rendering is enabled.
2. In this vulnerability, unauthorized files can be retrieved under some network conditions or via a fake datasapermissions (if user has admin permissions in Grafana).
3. The workaround for this vulnerability is to disable HTTP remote rendering by setting `render_enabled_media_types` to `'none'` in your grafana.ini and restricting panels & dashboards to only view API keys.
Timeline
Published on: 09/02/2022 21:15:00 UTC
Last modified on: 09/09/2022 03:22:00 UTC