App scan security issues

Grafana Developers & API
1

Hi Team,
We are using grafana v9.1.1 and it is deployed in Kubernetes env. Recently did Appscan security testing and found below 3 high severity and 1 medium severity issue. Can you suggest any patch available where these issues are already fixed ? If not any plan to fix these issues near future.

High:
API Broken Function Level Authorization
API Mass Assignment
SQL Injection

Medium:
Cross-Site Request Forgery

image
image1398×733 131 KB

image
image1119×741 145 KB

2 Likes
2

Team,

Any suggestions ?

Regards,
Ajay

1 Like
3

@grafana team it is April 2023,updated to Grafana-9.4.7 and HCL AppScan vulnerability scan still displays following “vulnerability”

Risk(s): API Mass Assignment exploitation may leads to privilege escalation, data tampering, bypass of security mechanisms

Fix: Avoid using functions that automatically bind client’s input to code variables or internal objects.If applicable, explicitly define

and enforce schema’s for the input data payloads.

Variant 1 of 1

The following changes were applied to the original request:

Set body to

'{“queries”:[{“datasource”:{“type”:“prometheus”,“uid”:“abcdefghijk”},“expr”:"count(up{job="www_hea

rtbeat"})“,“instant”:true,“interval”:”",“legendFormat”:“TOTAL”,“refId”:“G”,“exemplar”:false,"requ

estId":“12G”,“utcOffsetSec”:-14400,“datasourceId”:1,“intervalMs”:15000,“maxDataPoints”:391},{"data

source":{“type”:“prometheus”,“uid”:“abcdefghijk”},“expr”:"sum(probe_success{job="www_heartbeat"})

“,“instant”:true,“interval”:”",“legendFormat”:“up”,“refId”:“B”,“exemplar”:false,“requestId”:“12B”,

“utcOffsetSec”:-14400,“datasourceId”:1,“intervalMs”:15000,“maxDataPoints”:391},{“datasource”:{"typ

e":“prometheus”,“uid”:“abcdefghijk”},“expr”:"count(up{job="www_heartbeat"})-sum(probe_success{job

="www_heartbeat"})“,“instant”:true,“interval”:”",“legendFormat”:“DOWN”,“refId”:“A”,“exemplar”:f

alse,“requestId”:“12A”,“utcOffsetSec”:-14400,“datasourceId”:1,“intervalMs”:15000,“maxDataPoints”:3

91}],“range”:{“from”:“2023-04-06T15:53:18.673Z”,“to”:“2023-04-06T15:58:18.673Z”,“raw”:{“from”:"now

-5m",“to”:“now”}},“from”:“1680796398673”,“to”
’

Reasoning:

The test result seems to indicate a vulnerability because the Test Response is successful (returns

200 OK), indicating that the Application/API access is successful.

Request/Response:

POST /grafana/api/ds/query HTTP/1.1

Host: example.org

Connection: keep-alive

x-plugin-id: prometheus

x-grafana-org-id: 1

x-panel-id: 12

User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Win32)

content-type: application/json

accept: application/json, text/plain, /

x-dashboard-uid: xyz

x-datasource-uid: abcdefghijk

Accept-Language: en-US

Sec-Fetch-Site: same-origin

Sec-Fetch-Mode: cors

Sec-Fetch-Dest: empty

Referer: https://example.org/grafana/d/xyz/team-home-dashboard?orgId=1

{“queries”:[{“datasource”:{“type”:“prometheus”,“uid”:“abcdefghijk”},“expr”:"count(up{job="www_hear

tbeat"})“,“instant”:true,“interval”:”",“legendFormat”:“TOTAL”,“refId”:“G”,“exemplar”:false,"reque

stId":“12G”,“utcOffsetSec”:-14400,“datasourceId”:1,“intervalMs”:15000,“maxDataPoints”:391},{"datas

ource":{“type”:“prometheus”,“uid”:“abcdefghijk”},“expr”:“sum(probe_success{job="www_heartbeat"})”

,“instant”:true,“interval”:“”,“legendFormat”:“up”,“refId”:“B”,“exemplar”:false,“requestId”:“12B”,"

utcOffsetSec":-14400,“datasourceId”:1,“intervalMs”:15000,“maxDataPoints”:391},{“datasource”:{"type

":“prometheus”,“uid”:“abcdefghijk”},“expr”:"count(up{job="www_heartbeat"})-sum(probe_success{job=

"www_heartbeat"})“,“instant”:true,“interval”:”",“legendFormat”:“DOWN”,“refId”:“A”,“exemplar”:fa

lse,“requestId”:“12A”,“utcOffsetSec”:-14400,“datasourceId”:1,“intervalMs”:15000,“maxDataPoints”:39

1}],“range”:{“from”:“2023-04-06T15:53:18.673Z”,“to”:“2023-04-06T15:58:18.673Z”,“raw”:{“from”:"now-

5m",“to”:“now”}},“from”:“1680796398673”,“to”:“1680796698673”,“is_admin”:true,“is_sso”:true,“role”:

“admin”}

HTTP/1.1 200 OK

Date: Thu, 06 Apr 2023 16:07:03 GMT

Server: Apache

Strict-Transport-Security: max-age=63072000

Cache-Control: no-store

Content-Security-Policy: script-src ‘self’ ‘unsafe-eval’ ‘unsafe-inline’ ‘strict-dynamic’ 'nonce-

BJxd2DTka/W5jHH/Ynx9lw’;object-src ‘none’;font-src ‘self’;style-src ‘self’ ‘unsafe-inline’

© Copyright HCL Technologies Limited 2000, 2023. All Rights Reserved. - 8 -

blob:;img-src * data:;base-uri ‘self’;connect-src ‘self’ example.org

ws://example.org/grafana/ wss://example.org/grafana/;manifestsrc

‘self’;media-src ‘none’;form-action ‘self’;

Content-Type: application/json

X-Content-Type-Options: nosniff

X-Frame-Options: deny

X-Xss-Protection: 1; mode=block

Content-Length: 1472

Keep-Alive: timeout=15, max=43