CVE-2022-21713 Insecure Direct Object Reference on Grafana - Editor Role

What is Insecure Direct Object Reference (IDOR)?



Insecure direct object references (IDOR) are a type of access control vulnerability that arises when an application uses user-supplied input to access objects directly. The term IDOR was popularized by its appearance in the OWASP 2007 Top Ten. However, it is just one example of many access control implementation mistakes that can lead to access controls being circumvented. IDOR vulnerabilities are most commonly associated with horizontal privilege escalation, but they can also arise in relation to vertical privilege escalation. (PortSwigger)






Insecure Direct Object References on Grafana v8.3.3



CVE-2022-21713


In Grafana 8.3.3, an Editor role user can see another team's details via Insecure Direct Object Reference, as demonstrated by the /api/teams/1 URI


Proof of Concept:


1. Login to Grafana UI as Admin.

2. Create a multiple teams.

3. Create a user with "editor" role.

4. Login with the new user that you created with "editor" role in the previous step.

5. Refresh the Grafana UI and capture the request via Burp Suite.

6. Send request to Repeater.

7. Change the request path as "/api/teams/"team id"

8. Check the response for team details.

This vulnerability not working on UI request because UI does not allow you to make request with "editor" role users.

If you curl URL via API request, you will get result as it is shown below:



Related Links:


https://grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes/


https://github.com/grafana/grafana/security/advisories/GHSA-63g3-9jq3-mccv