CVE-2022-24812: 
Grafana vulnerability analysis and mitigation

Grafana Enterprise versions from 8.1.0-beta1 through 8.4.5 were affected by a high-severity privilege escalation vulnerability (CVE-2022-24812) discovered during an internal security audit on April 3, 2022. The vulnerability occurs when fine-grained access control is enabled and a client uses Grafana API Key to make requests, where permissions for that API Key are cached for 30 seconds for the given organization (GitHub Advisory, Grafana Blog).

The vulnerability stems from the way cache ID is constructed for API Key permissions. When fine-grained access control is enabled, subsequent requests with any API Key evaluate to the same permissions as the previous requests within a 30-second window. This can lead to privilege escalation when a first request is made with Admin permissions, and a second request with a different API Key is made with Viewer permissions - the second request will inherit the cached Admin permissions from the previous request (GitHub Advisory). The vulnerability has been assigned a CVSS score of 8.0 HIGH (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H) (NVD).

The vulnerability only impacts Grafana Enterprise installations where fine-grained access control beta feature is enabled and there are multiple API Keys with different roles in one organization. Successful exploitation could allow attackers to escalate their privileges and access resources with higher permissions than intended (GitHub Advisory).

All installations of Grafana Enterprise v8.1.0-beta1 through v8.4.5 should be upgraded to version 8.4.6 as soon as possible. As an alternative workaround, administrators can disable the fine-grained access control feature to mitigate the vulnerability. Grafana Cloud instances have been patched, and cloud providers licensed to offer Grafana Pro (including Amazon Managed Grafana and Azure Managed Grafana) have confirmed their offerings are secure (Grafana Blog).