CVE-2022-31123

Name
CVE-2022-31123
Description
Grafana is an open source observability and data visualization platform. Versions prior to 9.1.8 and 8.5.14 are vulnerable to a bypass in the plugin signature verification. An attacker can convince a server admin to download and successfully run a malicious plugin even though unsigned plugins are not allowed. Versions 9.1.8 and 8.5.14 contain a patch for this issue. As a workaround, do not install plugins downloaded from untrusted sources.
NVD Severity
medium
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
CONFIRM https://github.com/grafana/grafana/security/advisories/GHSA-rhxj-gh46-jvw8
MISC https://github.com/grafana/grafana/releases/tag/v9.1.8

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:* grafana >= 9.0.0 < 9.1.8
cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:* grafana >= 7.0.0 < 8.5.14

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
grafana 3.16-community 8.5.13-r1 Konstantin Kulikov <k.kulikov2@gmail.com> possibly vulnerable