CVE-2022-29170 is a medium-severity vulnerability classified under CWE-601 (URL Redirection to Untrusted Site, commonly known as an Open Redirect) affecting Grafana Enterprise versions starting from 7.4.0-beta1 up to but not including 7.5.16, and versions from 8.0.0 up to but not including 8.5.3. Grafana is a widely used open-source platform for monitoring and observability, often deployed in enterprise environments to visualize and analyze metrics and logs. The vulnerability specifically impacts the Request security feature in Grafana Enterprise, which allows administrators to configure an allow list of hosts that Grafana is permitted to call. This feature is designed to restrict Grafana's outbound HTTP requests to trusted hosts only. The vulnerability arises when a malicious datasource, hosted on an allowed host, returns an HTTP redirect response to a host that is not on the allow list. In this scenario, Grafana blindly follows the HTTP redirect without validating the destination against the allow list. Consequently, this bypasses the intended security restrictions, potentially exposing sensitive information to unauthorized external sites. This can lead to leakage of secure data or facilitate phishing or other social engineering attacks by redirecting users to untrusted domains. It is important to note that this vulnerability only affects Grafana Enterprise when the Request security allow list is enabled and when it is possible to add a custom datasource capable of issuing HTTP redirects. Grafana Cloud is not impacted by this vulnerability. The issue has been addressed in versions 7.5.16 and 8.5.3, which include patches to properly validate redirects against the allow list. Currently, there are no known workarounds, and no public exploits have been reported in the wild as of the published date (May 20, 2022).

For European organizations, the impact of this vulnerability can be significant, especially for those relying on Grafana Enterprise for monitoring critical infrastructure, industrial control systems, or sensitive business applications. By bypassing the allow list, attackers can potentially redirect Grafana's HTTP requests to malicious external hosts, leading to unauthorized data exposure. This could include sensitive monitoring data, internal network information, or authentication tokens if such data is transmitted during these requests. The vulnerability could also be leveraged as part of a broader attack chain, for example, to facilitate phishing attacks by redirecting users to malicious sites or to exfiltrate data stealthily. Organizations in sectors such as finance, energy, healthcare, and government, which often use Grafana for observability, may face increased risks of data breaches or operational disruptions. Given that the vulnerability requires the presence of a malicious datasource capable of issuing redirects and the use of the Request security allow list feature, the attack surface is somewhat limited but still relevant in complex enterprise environments where custom datasources are common. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as threat actors may develop exploits over time.

1. Upgrade Grafana Enterprise instances to version 7.5.16 or later, or 8.5.3 or later, where the vulnerability is patched. 2. Audit and restrict the addition of custom datasources, ensuring only trusted and verified datasources are used, minimizing the risk of malicious redirect responses. 3. Review and tighten the Request security allow list configurations to include only necessary and trusted hosts. 4. Implement network-level controls such as egress filtering to prevent unauthorized outbound HTTP redirects to untrusted external hosts. 5. Monitor Grafana logs for unusual redirect activity or unexpected datasource behavior that could indicate exploitation attempts. 6. Educate administrators and users about the risks of open redirects and the importance of validating datasource sources. 7. If immediate patching is not feasible, consider disabling the Request security allow list feature temporarily or restricting its use until patches can be applied. These steps go beyond generic advice by focusing on datasource management, network controls, and configuration auditing specific to the Grafana environment.