CVE Vulnerability

CVE-2022-31130

Grafana is an open source observability and data visualization platform. Versions of Grafana for endpoints prior to 9.1.8 and 8.5.14 could leak authentication tokens to some destination plugins under some conditions. The vulnerability impacts data source and plugin proxy endpoints with authentication tokens. The destination plugin could receive a user's Grafana authentication token. Versions 9.1.8 and 8.5.14 contain a patch for this issue. As a workaround, do not use API keys, JWT authentication, or any HTTP Header based authentication.

7.5 /10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/grafana/grafana/security/advisories/GHSA-jv32-5578-pxjc Patch Third Party Advisory
https://github.com/grafana/grafana/releases/tag/v9.1.8 Release Notes Third Party Advisory
https://github.com/grafana/grafana/commit/4dd56e4dabce10007bf4ba1059bf54178c35b177 Patch Third Party Advisory
https://github.com/grafana/grafana/commit/9da278c044ba605eb5a1886c48df9a2cb0d3885f Patch Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*
cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*
Information

Published : 2022-10-13 11:15

Updated : 2022-10-17 01:31

NVD link : CVE-2022-31130

Mitre link : CVE-2022-31130

Products Affected
No products.
CWE
CWE-522