In this week’s digest, we will cover an account takeover vulnerability in Grafana 5.3, a path traversal vulnerability with potential privilege escalation in pyenv, and a denial-of-service vulnerability in Apache Tomcat.
Grafana Account Takeover using OAuth Vulnerability (CVE-2022-31107)
Grafana recently released versions 8.3.10, 8.4.10, 8.5.9, and 9.0.3 to mitigate a vulnerability related to its OAuth implementation. The vulnerability stems from the way that external and internal user accounts are linked together during login via OAuth.
In order to exploit the vulnerability, a malicious user needs to be authorized to log in to Grafana via OAuth, their username and email address must not already be associated with an account in Grafana, and they need to know the target user’s username in Grafana. If these conditions are met, the malicious user can set their username to the same username in Grafa OAuth and this allows them to log in as target user without any further exploitation.
This vulnerability was scored 7.1 (High) on the CVSS 3.1 scale and it affects Grafana versions 5.3 until 9.0.3, 8.5.9, 8.4.10, and 8.3.10. Grafana developers urge their users to update Grafana 5.3 installations as soon as possible to mitigate the issue. As a workaround, it is possible to disable any OAuth login or ensure that all users authorized to log in via OAuth have a corresponding user account in Grafana linked to their email address.
Path Traversal Vulnerability in pyenv (CVE-2022-35861)
A relative path traversal vulnerability was recently patched in pyenv, which could allow local users to gain privileges on a system. This vulnerability affects pyenv versions 1.2.24 through 2.3.2. This vulnerability scored 7.8 (High) on CVSS 3.1 scale.
To provide more context on the vulnerability, “shims” are lightweight executables that simply pass your command along to pyenv for execution.
Using this vulnerability, an attacker can craft a Python version string in .python-version to execute shims under their control. The vulnerability is caused by a missing validation check on the version string provided in the .python-version file. The contents of this file is used to construct the path to the commands that need to be executed. By manipulating the value within the file, relative path traversal can occur, which also allows local users to gain privileges via a .python-version file in the current working directory.
Apache Tomcat Denial of Service (CVE-2022-29885)
Apache Tomcat is a free and open source tool that provides a “pure Java” HTTP web server environment in which Java code can run. Tomcat also allows their users to create clusters with their servers for availability and load balancing functions.
This vulnerability in Tomcat’s clustering function was initially reported on April 17, 2022. This flaw described a mistake made in the documentation which overstated the protection provided by the EncryptInterceptor. As the impact was Low and a patch would not directly improve the security posture of Apache Tomcat, this flaw was marked as “will not fix”.
While the component (EncryptInterceptor) that caused the vulnerability provided confidentiality and integrity protection, it did not protect against all risks associated with running over any untrusted network, particularly DoS risks. To read more about how DoS can be achieved, you may refer to the article written by Cristian Giustini.
Apache recommends their users to update to version 9.0.63 to mitigate this issue.