cbcvebase.
CVE-2022-31097
published 2022-07-15

CVE-2022-31097: Grafana is an open-source platform for monitoring and observability. Versions on the 8.x and 9.x branch prior to 9.0.3, 8.5.9, 8.4.10, and 8.3.10 are…

PriorityP262high8.7CVSS 3.1
AVNACLPRLUIRSCCHIHAN
EPSS
68.60%
99.3th percentile
Grafana is an open-source platform for monitoring and observability. Versions on the 8.x and 9.x branch prior to 9.0.3, 8.5.9, 8.4.10, and 8.3.10 are vulnerable to stored cross-site scripting via the Unified Alerting feature of Grafana. An attacker can exploit this vulnerability to escalate privilege from editor to admin by tricking an authenticated admin to click on a link. Versions 9.0.3, 8.5.9, 8.4.10, and 8.3.10 contain a patch. As a workaround, it is possible to disable alerting or use legacy alerting.

Affected

12 ranges
VendorProductVersion rangeFixed in
github.comgrafana_grafana>= 8.0.0 < 8.3.108.3.10
github.comgrafana_grafana>= 8.4.0 < 8.4.108.4.10
github.comgrafana_grafana>= 8.5.0 < 8.5.98.5.9
github.comgrafana_grafana>= 9.0.0 < 9.0.39.0.3
grafanagrafana
grafanagrafana
grafanagrafana
grafanagrafana
grafanagrafana>= 8.0.0 < 8.3.108.3.10
grafanagrafana>= 8.4.0 < 8.4.108.4.10
grafanagrafana>= 8.5.0 < 8.5.98.5.9
grafanagrafana>= 9.0.0 < 9.0.39.0.3

Detection & IOCsextracted from sources · hover to see the quote

  • Stored XSS vulnerability is located specifically in the Unified Alerting feature of Grafana; monitor for unexpected script injection via alert rule names or annotations in Grafana's Unified Alerting interface.
  • Attack vector requires an authenticated admin to click a crafted link; monitor for privilege escalation events where editor-role accounts are elevated to admin following admin user activity.
  • Scope affected Grafana versions to 8.x and 9.x branches prior to the patched releases (9.0.3, 8.5.9, 8.4.10, 8.3.10); audit deployed Grafana instances for version compliance.
  • ·Disabling Unified Alerting (unified_alerting) in Grafana configuration is a documented workaround; reverting to legacy alerting mitigates the XSS attack surface until patching is possible.
  • ·Mitigation reference for disabling Unified Alerting is documented at the Grafana configuration page under the unified_alerting setting.

CVSS provenance

nvdv3.18.7HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
ghsa8.7HIGH
osv8.7HIGH
vendor_redhat7.3HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.