CVE-2022-31123
6.1
CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L
Summary
Grafana is an open source observability and data visualization platform. Versions prior to 9.1.8 and 8.5.14 are vulnerable to a bypass in the plugin signature verification. An attacker can convince a server admin to download and successfully run a malicious plugin even though unsigned plugins are not allowed. Versions 9.1.8 and 8.5.14 contain a patch for this issue. As a workaround, do not install plugins downloaded from untrusted sources.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| grafana | grafana | < 8.5.14 | affected |
| grafana | grafana | >= 9.0.0, < 9.1.8 | affected |
Weaknesses
- CWE-347: CWE-347: Improper Verification of Cryptographic Signature
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/grafana/grafana/security/advisories/GHSA-rhxj-gh46-jvw8
- https://github.com/grafana/grafana/releases/tag/v9.1.8
- https://security.netapp.com/advisory/ntap-20221124-0002/
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
- https://github.com/grafana/grafana/security/advisories/GHSA-rhxj-gh46-jvw8
- https://github.com/grafana/grafana/releases/tag/v9.1.8
- https://security.netapp.com/advisory/ntap-20221124-0002/
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.