CVE-2022-31123
published 2022-10-13CVE-2022-31123: Grafana is an open source observability and data visualization platform. Versions prior to 9.1.8 and 8.5.14 are vulnerable to a bypass in the plugin signature…
PriorityP336high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
EPSS
0.25%
16.1th percentile
Grafana is an open source observability and data visualization platform. Versions prior to 9.1.8 and 8.5.14 are vulnerable to a bypass in the plugin signature verification. An attacker can convince a server admin to download and successfully run a malicious plugin even though unsigned plugins are not allowed. Versions 9.1.8 and 8.5.14 contain a patch for this issue. As a workaround, do not install plugins downloaded from untrusted sources.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | grafana_grafana | >= 7.0.0 < 8.5.14 | 8.5.14 |
| github.com | grafana_grafana | >= 9.0.0 < 9.1.8 | 9.1.8 |
| grafana | grafana | < 8.5.14 | 8.5.14 |
| grafana | grafana | — | — |
| grafana | grafana | >= 7.0.0 < 8.5.14 | 8.5.14 |
| grafana | grafana | >= 9.0.0 < 9.1.8 | 9.1.8 |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
ghsa7.8HIGH
osv7.8HIGH
vendor_oracle7.8MEDIUM
vendor_redhat6.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Oracle
Oracle Oracle Communications Applications Risk Matrix: Common fns (Grafana) — CVE-2022-31123
vendor_oracle·2023-04-15·CVSS 7.8
CVE-2022-31123 [MEDIUM] Oracle Oracle Communications Applications Risk Matrix: Common fns (Grafana) — CVE-2022-31123
Oracle Oracle Communications Applications Risk Matrix: Common fns (Grafana) vulnerability
CVE: CVE-2022-31123
CVSS: 7.8
Protocol: None
Remote exploit: No
Affected versions: Local
Advisory: cpuapr2023 (APR 2023)
Red Hat
grafana: plugin signature bypass
vendor_redhat·2022-10-14·CVSS 6.1
CVE-2022-31123 [MEDIUM] grafana: plugin signature bypass
grafana: plugin signature bypass
Grafana is an open source observability and data visualization platform. Versions prior to 9.1.8 and 8.5.14 are vulnerable to a bypass in the plugin signature verification. An attacker can convince a server admin to download and successfully run a malicious plugin even though unsigned plugins are not allowed. Versions 9.1.8 and 8.5.14 contain a patch for this issue. As a workaround, do not install plugins downloaded from untrusted sources.
A flaw was found in the Grafana web application, where it is possible to install plugins which are not digitally signed. An admin could install unsigned plugins, which may contain malicious code.
Package: rhacm2/acm-grafana-rhel8 (Red Hat Advanced Cluster Management for Kubernetes 2) - Will not fix
Package: grafana (R
OSV
Grafana Plugin signature bypass in github.com/grafana/grafana
osv·2024-06-05
CVE-2022-31123 Grafana Plugin signature bypass in github.com/grafana/grafana
Grafana Plugin signature bypass in github.com/grafana/grafana
Grafana Plugin signature bypass in github.com/grafana/grafana.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affected modules and versions are: github.com/grafana/grafana from v7.0.0 before v8.5.14, from v9.0.0 before v9.1.8.
GHSA
Grafana Plugin signature bypass
ghsa·2024-05-14·CVSS 7.8
CVE-2022-31123 [HIGH] CWE-347 Grafana Plugin signature bypass
Grafana Plugin signature bypass
Today we are releasing Grafana 9.2. Alongside with new features and other bug fixes, this release includes a Moderate severity security fix for CVE-2022-31123
We are also releasing security patches for Grafana 9.1.8 and Grafana 8.5.14 to fix these issues.
Release 9.2, latest release, also containing security fix:
- [Download Grafana 9.2](https://grafana.com/grafana/download/9.2)
Release 9.1.8, only containing security fix:
- [Download Grafana 9.1.8](https://grafana.com/grafana/download/9.1.8)
Release 8.5.14, only containing security fix:
- [Download Grafana 8.5.14](https://grafana.com/grafana/download/8.5.14)
Appropriate patches have been applied to [Grafana Cloud](https://grafana.com/cloud) and as always, we closely coordinated with all cloud provi
OSV
Grafana Plugin signature bypass
osv·2024-05-14·CVSS 7.8
CVE-2022-31123 [HIGH] Grafana Plugin signature bypass
Grafana Plugin signature bypass
Today we are releasing Grafana 9.2. Alongside with new features and other bug fixes, this release includes a Moderate severity security fix for CVE-2022-31123
We are also releasing security patches for Grafana 9.1.8 and Grafana 8.5.14 to fix these issues.
Release 9.2, latest release, also containing security fix:
- [Download Grafana 9.2](https://grafana.com/grafana/download/9.2)
Release 9.1.8, only containing security fix:
- [Download Grafana 9.1.8](https://grafana.com/grafana/download/9.1.8)
Release 8.5.14, only containing security fix:
- [Download Grafana 8.5.14](https://grafana.com/grafana/download/8.5.14)
Appropriate patches have been applied to [Grafana Cloud](https://grafana.com/cloud) and as always, we closely coordinated with all cloud provi
OSV
CVE-2022-31123: Grafana is an open source observability and data visualization platform
osv·2022-10-13·CVSS 7.8
CVE-2022-31123 [HIGH] CVE-2022-31123: Grafana is an open source observability and data visualization platform
Grafana is an open source observability and data visualization platform. Versions prior to 9.1.8 and 8.5.14 are vulnerable to a bypass in the plugin signature verification. An attacker can convince a server admin to download and successfully run a malicious plugin even though unsigned plugins are not allowed. Versions 9.1.8 and 8.5.14 contain a patch for this issue. As a workaround, do not install plugins downloaded from untrusted sources.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/grafana/grafana/releases/tag/v9.1.8https://github.com/grafana/grafana/security/advisories/GHSA-rhxj-gh46-jvw8https://security.netapp.com/advisory/ntap-20221124-0002/https://github.com/grafana/grafana/releases/tag/v9.1.8https://github.com/grafana/grafana/security/advisories/GHSA-rhxj-gh46-jvw8https://security.netapp.com/advisory/ntap-20221124-0002/
2022-10-13
Published