CVE-2022-31123: Grafana plugin signature bypass vulnerability
First published: Fri Sep 30 2022(Updated: )
CVE-2022-31123: Plugin signature bypass It is possible to bypass plugin signatures by exploiting a versioning flaw in Grafana. An attacker can convince a server admin to download and successfully run a malicious plugin even though unsigned plugins <<a href="https://go.grafana.com/MzU2LVlGRy0zODkAAAGHKffeRdXtITNJ57jRLGNoDYneVd-OEEcBdv-IjxVZkAZ_sJruum93h2vIohJ4utenGSY7smU">https://go.grafana.com/MzU2LVlGRy0zODkAAAGHKffeRdXtITNJ57jRLGNoDYneVd-OEEcBdv-IjxVZkAZ_sJruum93h2vIohJ4utenGSY7smU</a>=> are not allowed. Affected versions: Grafana <= 9.1.x
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Grafana Grafana | >=7.0.0<8.5.14 | |
| Grafana Grafana | >=9.0.0<9.1.8 | |
| Netapp E-series Performance Analyzer | ||
| go/github.com/grafana/grafana | >=7.0.0<8.5.14 | 8.5.14 |
| go/github.com/grafana/grafana | >=9.0.0<9.1.8 | 9.1.8 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/grafana/grafana/releases/tag/v9.1.8
- https://github.com/grafana/grafana/security/advisories/GHSA-rhxj-gh46-jvw8
- https://security.netapp.com/advisory/ntap-20221124-0002/
- https://go.grafana.com/MzU2LVlGRy0zODkAAAGHKffeRdXtITNJ57jRLGNoDYneVd-OEEcBdv-IjxVZkAZ_sJruum93h2vIohJ4utenGSY7smU
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2134708
- https://access.redhat.com/errata/RHSA-2023:3642
- https://access.redhat.com/errata/RHSA-2023:6420
- https://bugzilla.redhat.com/show_bug.cgi?id=2131147
- https://nvd.nist.gov/vuln/detail/CVE-2022-31123
- https://github.com/advisories/GHSA-rhxj-gh46-jvw8 (Advisory)
- https://security.netapp.com/advisory/ntap-20221124-0002
Frequently Asked Questions
What is the vulnerability ID for this Grafana vulnerability?
The vulnerability ID for this Grafana vulnerability is CVE-2022-31123.
What is Grafana?
Grafana is an open source observability and data visualization platform.
Which versions of Grafana are vulnerable?
Versions prior to 9.1.8 and 8.5.14 of Grafana are vulnerable.
What is the severity of CVE-2022-31123?
CVE-2022-31123 has a severity rating of 7.8 (high).
How can an attacker exploit this vulnerability?
An attacker can exploit this vulnerability by convincing a server admin to download and run a malicious plugin.
- collector/nvd-index
- agent/type
- agent/first-publish-date
- agent/remedy
- agent/weakness
- agent/softwarecombine
- agent/severity
- agent/description
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- agent/author
- agent/references
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2022-31123
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/event
- agent/tags
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-rhxj-gh46-jvw8
- agent/last-modified-date
- collector/github-advisory
- agent/trending
- vendor/grafana
- canonical/grafana grafana
- version/grafana grafana/7.0.0
- version/grafana grafana/9.0.0
- vendor/netapp
- canonical/netapp e-series performance analyzer
- package-manager/go