CVE-2022-31123

Name
CVE-2022-31123
Description
Grafana is an open source observability and data visualization platform. Versions prior to 9.1.8 and 8.5.14 are vulnerable to a bypass in the plugin signature verification. An attacker can convince a server admin to download and successfully run a malicious plugin even though unsigned plugins are not allowed. Versions 9.1.8 and 8.5.14 contain a patch for this issue. As a workaround, do not install plugins downloaded from untrusted sources.
NVD Severity
medium
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
CONFIRM https://github.com/grafana/grafana/security/advisories/GHSA-rhxj-gh46-jvw8
MISC https://github.com/grafana/grafana/releases/tag/v9.1.8

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:* grafana >= 9.0.0 < 9.1.8
cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:* grafana >= 7.0.0 < 8.5.14

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
grafana 3.16-community 8.5.13-r1 Konstantin Kulikov <k.kulikov2@gmail.com> possibly vulnerable