Skip to content

AuthNZ: Security fixes for CVE-2022-35957 and CVE-2022-36062 #55498

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 20, 2022
Merged

AuthNZ: Security fixes for CVE-2022-35957 and CVE-2022-36062 #55498

merged 1 commit into from
Sep 20, 2022

Conversation

IevaVasiljeva
Copy link
Contributor

Security patches for CVE-2022-35957 and CVE-2022-36062.

CVE-2022-35957 allowed escalating user permissions from admin to server admin by using a combination of auth proxy and data source proxy. This issue was fixed by not allowing to use custom data source header with a key matching auth proxy's header.

CVE-2022-36062 added Viewer and Editor permissions to dashboards and folders with only Admin permissions set after RBAC was enabled. This was fixed by removing Viewer and Editor permissions from the impacted dashboards and folders.

@IevaVasiljeva @kalleep
V9.0.8.1 security patch (#491)
3e25f86 
* Data source: prevent from using auth proxy header as custom data source header (#478)

* apply security changes for auth proxy permission escalation

* fix test

* fix test

* add links to CVE

* remove duplicate check

* apply security fix for admin only folder migration (#483)

Co-authored-by: Karl Persson <[email protected]>
@IevaVasiljeva IevaVasiljeva requested a review from a team as a code owner September 20, 2022 15:27
@IevaVasiljeva IevaVasiljeva requested a review from a team September 20, 2022 15:27
@IevaVasiljeva IevaVasiljeva requested review from a team as code owners September 20, 2022 15:27
@IevaVasiljeva IevaVasiljeva requested review from wbrowne, marefr, zserge, mildwonkey and idafurjes and removed request for a team September 20, 2022 15:27
@IevaVasiljeva IevaVasiljeva added this to the 8.5.13 milestone Sep 20, 2022
@IevaVasiljeva IevaVasiljeva enabled auto-merge (squash) September 20, 2022 15:41
@IevaVasiljeva IevaVasiljeva merged commit 0a52f1b into v9.0.x Sep 20, 2022
@IevaVasiljeva IevaVasiljeva deleted the security-fix-backport-9.0.x branch September 20, 2022 15:48
@IevaVasiljeva IevaVasiljeva modified the milestones: 8.5.13, 9.0.9 Sep 20, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@linoman linoman linoman approved these changes

@Jguer Jguer Jguer approved these changes

@wbrowne wbrowne Awaiting requested review from wbrowne wbrowne is a code owner automatically assigned from grafana/plugins-platform-backend

@marefr marefr Awaiting requested review from marefr marefr is a code owner automatically assigned from grafana/plugins-platform-backend

@zserge zserge Awaiting requested review from zserge zserge is a code owner automatically assigned from grafana/backend-platform

@mildwonkey mildwonkey Awaiting requested review from mildwonkey mildwonkey is a code owner automatically assigned from grafana/backend-platform

@idafurjes idafurjes Awaiting requested review from idafurjes idafurjes is a code owner automatically assigned from grafana/backend-platform

Assignees
No one assigned
Labels
add to changelog area/backend/db/migration area/backend backport A backport PR enterprise-ok
Projects
None yet
Milestone
9.0.9
Development

Successfully merging this pull request may close these issues.
4 participants
@IevaVasiljeva @linoman @Jguer @grafanabot