CVE-2022-31123
Summary
| CVE | CVE-2022-31123 |
|---|
| State | PUBLIC |
|---|
| Assigner | [email protected] |
|---|
| Source Priority | CVE Program / NVD first with legacy fallback |
|---|
| Published | 2022-10-13 22:15:00 UTC |
|---|
| Updated | 2022-12-03 15:03:00 UTC |
|---|
| Description | Grafana is an open source observability and data visualization platform. Versions prior to 9.1.8 and 8.5.14 are vulnerable to a bypass in the plugin signature verification. An attacker can convince a server admin to download and successfully run a malicious plugin even though unsigned plugins are not allowed. Versions 9.1.8 and 8.5.14 contain a patch for this issue. As a workaround, do not install plugins downloaded from untrusted sources. |
|---|
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|
| CVE-2022-31123 Grafana Vulnerability in NetApp Products | NetApp Product Security |
CONFIRM |
security.netapp.com |
|
| Release 9.1.8 (2022-10-11) · grafana/grafana · GitHub |
MISC |
github.com |
|
| Plugin signature bypass · Advisory · grafana/grafana · GitHub |
CONFIRM |
github.com |
|
| CVE Program record |
CVE.ORG |
www.cve.org |
canonical |
| NVD vulnerability detail |
NVD |
nvd.nist.gov |
canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 161102 Oracle Enterprise Linux Security Update for grafana security and enhancement update (ELSA-2023-6420)
- 242309 Red Hat Update for grafana (RHSA-2023:6420)
- 690989 Free Berkeley Software Distribution (FreeBSD) Security Update for grafana (4e60d660-6298-11ed-9ca2-6c3be5272acd)
- 753668 SUSE Enterprise Linux Security Update for grafana (SUSE-SU-2023:0362-1)
- 941404 AlmaLinux Security Update for grafana (ALSA-2023:6420)
