CVE-2022-31097
published 2022-07-15CVE-2022-31097: Grafana is an open-source platform for monitoring and observability. Versions on the 8.x and 9.x branch prior to 9.0.3, 8.5.9, 8.4.10, and 8.3.10 are…
PriorityP262high8.7CVSS 3.1
AVNACLPRLUIRSCCHIHAN
EPSS
68.60%
99.3th percentile
Grafana is an open-source platform for monitoring and observability. Versions on the 8.x and 9.x branch prior to 9.0.3, 8.5.9, 8.4.10, and 8.3.10 are vulnerable to stored cross-site scripting via the Unified Alerting feature of Grafana. An attacker can exploit this vulnerability to escalate privilege from editor to admin by tricking an authenticated admin to click on a link. Versions 9.0.3, 8.5.9, 8.4.10, and 8.3.10 contain a patch. As a workaround, it is possible to disable alerting or use legacy alerting.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | grafana_grafana | >= 8.0.0 < 8.3.10 | 8.3.10 |
| github.com | grafana_grafana | >= 8.4.0 < 8.4.10 | 8.4.10 |
| github.com | grafana_grafana | >= 8.5.0 < 8.5.9 | 8.5.9 |
| github.com | grafana_grafana | >= 9.0.0 < 9.0.3 | 9.0.3 |
| grafana | grafana | — | — |
| grafana | grafana | — | — |
| grafana | grafana | — | — |
| grafana | grafana | — | — |
| grafana | grafana | >= 8.0.0 < 8.3.10 | 8.3.10 |
| grafana | grafana | >= 8.4.0 < 8.4.10 | 8.4.10 |
| grafana | grafana | >= 8.5.0 < 8.5.9 | 8.5.9 |
| grafana | grafana | >= 9.0.0 < 9.0.3 | 9.0.3 |
Detection & IOCsextracted from sources · hover to see the quote
- →Stored XSS vulnerability is located specifically in the Unified Alerting feature of Grafana; monitor for unexpected script injection via alert rule names or annotations in Grafana's Unified Alerting interface. ↗
- →Attack vector requires an authenticated admin to click a crafted link; monitor for privilege escalation events where editor-role accounts are elevated to admin following admin user activity. ↗
- →Scope affected Grafana versions to 8.x and 9.x branches prior to the patched releases (9.0.3, 8.5.9, 8.4.10, 8.3.10); audit deployed Grafana instances for version compliance. ↗
- ·Disabling Unified Alerting (unified_alerting) in Grafana configuration is a documented workaround; reverting to legacy alerting mitigates the XSS attack surface until patching is possible. ↗
- ·Mitigation reference for disabling Unified Alerting is documented at the Grafana configuration page under the unified_alerting setting. ↗
CVSS provenance
nvdv3.18.7HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
ghsa8.7HIGH
osv8.7HIGH
vendor_redhat7.3HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
grafana: stored XSS vulnerability
vendor_redhat·2022-07-14·CVSS 7.3
CVE-2022-31097 [HIGH] CWE-79 grafana: stored XSS vulnerability
grafana: stored XSS vulnerability
Grafana is an open-source platform for monitoring and observability. Versions on the 8.x and 9.x branch prior to 9.0.3, 8.5.9, 8.4.10, and 8.3.10 are vulnerable to stored cross-site scripting via the Unified Alerting feature of Grafana. An attacker can exploit this vulnerability to escalate privilege from editor to admin by tricking an authenticated admin to click on a link. Versions 9.0.3, 8.5.9, 8.4.10, and 8.3.10 contain a patch. As a workaround, it is possible to disable alerting or use legacy alerting.
A Cross-site scripting (XSS) vulnerability was found in the Unified Alerting feature of Grafana. This stored XSS can elevate privileges from Editor to Admin.
Mitigation: Disable Unified alerting.
https://grafana.com/docs/grafana/latest/setup-grafana/
OSV
Grafana Stored Cross-site Scripting in Unified Alerting in github.com/grafana/grafana
osv·2024-06-05
CVE-2022-31097 Grafana Stored Cross-site Scripting in Unified Alerting in github.com/grafana/grafana
Grafana Stored Cross-site Scripting in Unified Alerting in github.com/grafana/grafana
Grafana Stored Cross-site Scripting in Unified Alerting in github.com/grafana/grafana.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affected modules and versions are: github.com/grafana/grafana from v8.0.0 before v8.3.10, from v8.4.0 before v8.4.10, from v8.5.0 before v8.5.9, from v9.0.0 before v9.0.3.
OSV
Grafana Stored Cross-site Scripting in Unified Alerting
osv·2024-05-14·CVSS 8.7
CVE-2022-31097 [HIGH] Grafana Stored Cross-site Scripting in Unified Alerting
Grafana Stored Cross-site Scripting in Unified Alerting
Today we are releasing Grafana 8.3.10, 8.4.10, 8.5.9 and 9.0.3. This patch release includes a HIGH severity security fix for a stored Cross Site Scripting in Grafana.
Release v.9.0.3, containing this security fix and other patches:
- [Download Grafana 9.0.3](https://grafana.com/grafana/download/9.0.3)
- [Release notes](https://grafana.com/docs/grafana/next/release-notes/release-notes-9-0-3/)
Release v.8.5.9, containing this security fix and other fixes:
- [Download Grafana 8.5.9](https://grafana.com/grafana/download/8.5.9)
- [Release notes](https://grafana.com/docs/grafana/next/release-notes/release-notes-8-5-9/)
Release v.8.4.10, containing this security fix and other fixes:
- [Download Grafana 8.4.10](https://grafana.com/graf
GHSA
Grafana Stored Cross-site Scripting in Unified Alerting
ghsa·2024-05-14·CVSS 8.7
CVE-2022-31097 [HIGH] CWE-79 Grafana Stored Cross-site Scripting in Unified Alerting
Grafana Stored Cross-site Scripting in Unified Alerting
Today we are releasing Grafana 8.3.10, 8.4.10, 8.5.9 and 9.0.3. This patch release includes a HIGH severity security fix for a stored Cross Site Scripting in Grafana.
Release v.9.0.3, containing this security fix and other patches:
- [Download Grafana 9.0.3](https://grafana.com/grafana/download/9.0.3)
- [Release notes](https://grafana.com/docs/grafana/next/release-notes/release-notes-9-0-3/)
Release v.8.5.9, containing this security fix and other fixes:
- [Download Grafana 8.5.9](https://grafana.com/grafana/download/8.5.9)
- [Release notes](https://grafana.com/docs/grafana/next/release-notes/release-notes-8-5-9/)
Release v.8.4.10, containing this security fix and other fixes:
- [Download Grafana 8.4.10](https://grafana.com/graf
OSV
CVE-2022-31097: Grafana is an open-source platform for monitoring and observability
osv·2022-07-15·CVSS 8.7
CVE-2022-31097 [HIGH] CVE-2022-31097: Grafana is an open-source platform for monitoring and observability
Grafana is an open-source platform for monitoring and observability. Versions on the 8.x and 9.x branch prior to 9.0.3, 8.5.9, 8.4.10, and 8.3.10 are vulnerable to stored cross-site scripting via the Unified Alerting feature of Grafana. An attacker can exploit this vulnerability to escalate privilege from editor to admin by tricking an authenticated admin to click on a link. Versions 9.0.3, 8.5.9, 8.4.10, and 8.3.10 contain a patch. As a workaround, it is possible to disable alerting or use legacy alerting.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/grafana/grafana/security/advisories/GHSA-vw7q-p2qg-4m5fhttps://grafana.com/docs/grafana/latest/release-notes/release-notes-8-5-9/https://grafana.com/docs/grafana/latest/release-notes/release-notes-9-0-3/https://grafana.com/docs/grafana/next/release-notes/release-notes-8-4-10/https://security.netapp.com/advisory/ntap-20220901-0010/https://github.com/grafana/grafana/security/advisories/GHSA-vw7q-p2qg-4m5fhttps://grafana.com/docs/grafana/latest/release-notes/release-notes-8-5-9/https://grafana.com/docs/grafana/latest/release-notes/release-notes-9-0-3/https://grafana.com/docs/grafana/next/release-notes/release-notes-8-4-10/https://security.netapp.com/advisory/ntap-20220901-0010/
2022-07-15
Published