Today we are releasing Grafana 8.3.10, 8.4.10, 8.5.9 and 9.0.3. This patch release includes a HIGH severity security fix for an Oauth takeover vulnerability in Grafana. Release v.9.0.3, containing this security fix and other patches: Download Grafana 9.0.3 Release notes Release v.8.5.9, containing this security fix and other fixes: Download Grafana 8.5.9 Release notes Release v.8.4.10, containing this security fix and other fixes: Download Grafana 8.4.10 Release notes Release v.8.3.10, containing this security fix and other fixes: Download Grafana 8.3.10 Grafana account takeover via OAuth vulnerability (CVE-2022-31107) Summary On June 27 the HTTPVoid team contacted Grafana Labs to disclose a Grafana account takeover via an OAuth vulnerability. We believe that this vulnerability is rated at CVSS 7.1 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L). Impact It is possible for a malicious user who has authorization to log into a Grafana instance via a configured OAuth IdP to take over an existing Grafana account under some conditions. Affected versions with HIGH severity All Grafana >=5.3 versions are affected by this vulnerability. Solutions and mitigations All installations after Grafana v5.3 should be upgraded as soon as possible. As a workaround it is possible to disable any OAuth login or ensure that all users authorized to log in via OAuth have a corresponding user account in Grafana linked to their email address. Appropriate patches have been applied to Grafana…Read More