Summary
Grafana Enterprise is using crewjam/saml library for SAML integration. On Nov 30, 2022 an advisory and relevant fix was published in the upstream library, which described a vulnerability allowing privilege escalation when processing SAML responses containing multiple assertions.
The vulnerability is possible to exploit only when a SAML document is not signed and multiple assertions are being used, where at least one assertion is signed. As a result, an attacker could intercept the SAML response and add any unsigned assertion, which would be parsed as signed by the library.
Steps to reproduce
Log in with SAML with any credentials
Intercept the SAML response which contains one signed assertion
Add any new unsigned identity assertion containing Admin username/email
Forward the request to Grafana
Mitigations
To fully address CVE-2022-41912 please upgrade your Grafana instances. As an alternative, you could ensure to sign the entire SAML document, or stop using SAML temporarily.
Summary
Grafana Enterprise is using crewjam/saml library for SAML integration. On Nov 30, 2022 an advisory and relevant fix was published in the upstream library, which described a vulnerability allowing privilege escalation when processing SAML responses containing multiple assertions.
The vulnerability is possible to exploit only when a SAML document is not signed and multiple assertions are being used, where at least one assertion is signed. As a result, an attacker could intercept the SAML response and add any unsigned assertion, which would be parsed as signed by the library.
Steps to reproduce
Log in with SAML with any credentials
Intercept the SAML response which contains one signed assertion
Add any new unsigned identity assertion containing Admin username/email
Forward the request to Grafana
Mitigations
To fully address CVE-2022-41912 please upgrade your Grafana instances. As an alternative, you could ensure to sign the entire SAML document, or stop using SAML temporarily.