CVE-2022-31130: Grafana data source and plugin proxy endpoints leaking authentication tokens to some destination plugins
First published: Fri Sep 30 2022(Updated: )
CVE-2022-31130: Data source and plugin proxy endpoints leaking authentication tokens to some destination plugins A security researcher contacted Grafana Labs to disclose a vulnerability with the GitLab data source plugin that could leak the API key to GitLab. After further analysis the vulnerability impacts data source and plugin proxy endpoints with authentication tokens, as a result the destination plugin could receive a Grafana authentication token of the user. Affected versions: Grafana <= 9.1.x
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| go/github.com/grafana/grafana | >=7.0.0<8.5.14 | 8.5.14 |
| go/github.com/grafana/grafana | >=9.0.0<9.1.8 | 9.1.8 |
| Grafana Labs Grafana OSS and Enterprise | <8.5.14 | |
| Grafana Labs Grafana OSS and Enterprise | >=9.0.0<9.1.8 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/grafana/grafana/commit/4dd56e4dabce10007bf4ba1059bf54178c35b177
- https://github.com/grafana/grafana/commit/9da278c044ba605eb5a1886c48df9a2cb0d3885f
- https://github.com/grafana/grafana/releases/tag/v9.1.8
- https://github.com/grafana/grafana/security/advisories/GHSA-jv32-5578-pxjc
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2134707
- https://access.redhat.com/errata/RHSA-2023:3642
- https://access.redhat.com/errata/RHSA-2023:6420
- https://bugzilla.redhat.com/show_bug.cgi?id=2131146
- https://nvd.nist.gov/vuln/detail/CVE-2022-31130
- https://github.com/advisories/GHSA-jv32-5578-pxjc (Advisory)
Frequently Asked Questions
What is CVE-2022-31130?
CVE-2022-31130 is a vulnerability in Grafana that could leak authentication tokens to destination plugins under certain conditions.
Which versions of Grafana are affected by CVE-2022-31130?
Versions of Grafana prior to 9.1.8 and 8.5.14 are affected by CVE-2022-31130.
What is the severity of CVE-2022-31130?
CVE-2022-31130 has a severity level of high.
How can I fix CVE-2022-31130?
To fix CVE-2022-31130, upgrade your Grafana version to 9.1.8 or 8.5.14.
Are there any references for CVE-2022-31130?
Yes, you can find references for CVE-2022-31130 at the following links: [Link 1](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2134707), [Link 2](https://access.redhat.com/errata/RHSA-2023:3642), [Link 3](https://bugzilla.redhat.com/show_bug.cgi?id=2131146).
- agent/type
- agent/first-publish-date
- agent/weakness
- agent/remedy
- agent/references
- agent/softwarecombine
- agent/severity
- agent/description
- agent/author
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2022-31130
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/event
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-jv32-5578-pxjc
- agent/software-canonical-lookup
- agent/last-modified-date
- collector/github-advisory
- agent/trending
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-cve
- source/NVD
- package-manager/go
- vendor/grafana
- canonical/grafana labs grafana oss and enterprise
- version/grafana labs grafana oss and enterprise/9.0.0