CVE-2022-31097: Stored XSS in Grafana's Unified Alerting
First published: Wed Jul 06 2022(Updated: )
Grafana is an open-source platform for monitoring and observability. Versions on the 8.x and 9.x branch prior to 9.0.3, 8.5.9, 8.4.10, and 8.3.10 are vulnerable to stored cross-site scripting via the Unified Alerting feature of Grafana. An attacker can exploit this vulnerability to escalate privilege from editor to admin by tricking an authenticated admin to click on a link. Versions 9.0.3, 8.5.9, 8.4.10, and 8.3.10 contain a patch. As a workaround, it is possible to disable alerting or use legacy alerting.
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Grafana Grafana | >=8.0.0<8.3.10 | |
| Grafana Grafana | >=8.4.0<8.4.10 | |
| Grafana Grafana | >=8.5.0<8.5.9 | |
| Grafana Grafana | >=9.0.0<9.0.3 | |
| Netapp E-series Performance Analyzer | ||
| redhat/Grafana | <9.0.3 | 9.0.3 |
| redhat/Grafana | <8.5.9 | 8.5.9 |
| redhat/Grafana | <8.4.10 | 8.4.10 |
| redhat/Grafana | <8.3.10 | 8.3.10 |
| go/github.com/grafana/grafana | >=8.0.0<8.3.10 | 8.3.10 |
| go/github.com/grafana/grafana | >=8.4.0<8.4.10 | 8.4.10 |
| go/github.com/grafana/grafana | >=8.5.0<8.5.9 | 8.5.9 |
| go/github.com/grafana/grafana | >=9.0.0<9.0.3 | 9.0.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/grafana/grafana/security/advisories/GHSA-vw7q-p2qg-4m5f
- https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-5-9/
- https://grafana.com/docs/grafana/latest/release-notes/release-notes-9-0-3/
- https://grafana.com/docs/grafana/next/release-notes/release-notes-8-4-10/
- https://security.netapp.com/advisory/ntap-20220901-0010/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2107436
- https://access.redhat.com/errata/RHSA-2023:3642
- https://bugzilla.redhat.com/show_bug.cgi?id=2104365
- https://nvd.nist.gov/vuln/detail/CVE-2022-31097
- https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-5-9
- https://grafana.com/docs/grafana/latest/release-notes/release-notes-9-0-3
- https://grafana.com/docs/grafana/next/release-notes/release-notes-8-4-10
- https://security.netapp.com/advisory/ntap-20220901-0010
- https://github.com/advisories/GHSA-vw7q-p2qg-4m5f (Advisory)
Frequently Asked Questions
What is CVE-2022-31097?
CVE-2022-31097 is a vulnerability in Grafana that allows for stored cross-site scripting via the Unified Alerting feature.
Which versions of Grafana are affected by CVE-2022-31097?
Versions on the 8.x and 9.x branch prior to 9.0.3, 8.5.9, 8.4.10, and 8.3.10 are affected by CVE-2022-31097.
What is the severity of CVE-2022-31097?
The severity of CVE-2022-31097 is high with a CVSS score of 8.7.
How can an attacker exploit CVE-2022-31097?
An attacker can exploit CVE-2022-31097 to escalate privileges and perform stored cross-site scripting attacks.
How can I mitigate CVE-2022-31097?
To mitigate CVE-2022-31097, update Grafana to version 9.0.3, 8.5.9, 8.4.10, or 8.3.10 depending on the branch you are using.
- collector/nvd-index
- agent/type
- agent/first-publish-date
- agent/weakness
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2022-31097
- agent/software-canonical-lookup
- agent/references
- agent/severity
- agent/softwarecombine
- agent/description
- collector/nvd-cve
- source/NVD
- agent/author
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/event
- agent/tags
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-vw7q-p2qg-4m5f
- agent/last-modified-date
- collector/github-advisory
- agent/trending
- vendor/grafana
- canonical/grafana grafana
- version/grafana grafana/8.0.0
- version/grafana grafana/8.4.0
- version/grafana grafana/8.5.0
- version/grafana grafana/9.0.0
- vendor/netapp
- canonical/netapp e-series performance analyzer
- package-manager/redhat
- package-manager/go