Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2022-31123

Grafana is an open source observability and data visualization platform. Versions prior to 9.1.8 and 8.5.14 are vulnerable to a bypass in the plugin signature verification. An attacker can convince a server admin to download and successfully run a malicious plugin even though unsigned plugins are not allowed. Versions 9.1.8 and 8.5.14 contain a patch for this issue. As a workaround, do not install plugins downloaded from untrusted sources.

Published

2022-10-13T22:15:10.050

Last Modified

2024-11-21T07:03:56.640

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 6.1 (MEDIUM)

Weaknesses

Type: Primary
CWE-347

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	grafana	grafana	< 8.5.14	Yes
Application	grafana	grafana	< 9.1.8	Yes
Application	netapp	e-series_performance_analyzer	-	Yes

References

https://github.com/grafana/grafana/releases/tag/v9.1.8 Release Notes, Third Party Advisory ([email protected])
https://github.com/grafana/grafana/security/advisories/GHSA-rhxj-gh46-jvw8 Patch, Third Party Advisory ([email protected])
https://security.netapp.com/advisory/ntap-20221124-0002/ Third Party Advisory ([email protected])
https://github.com/grafana/grafana/releases/tag/v9.1.8 Release Notes, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/grafana/grafana/security/advisories/GHSA-rhxj-gh46-jvw8 Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://security.netapp.com/advisory/ntap-20221124-0002/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)