CVE-2022-31130Sensitive Information Exposure in Grafana

CWE-200Sensitive Information ExposureCWE-522Insufficiently Protected Credentials7 documents5 sources
Severity
7.5HIGHNVD
CNA4.9
EPSS
0.4%
top 40.59%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
GrafanaGithub.com Grafana Grafana
Timeline
PublishedOct 13
Latest updateJun 5

Description

Grafana is an open source observability and data visualization platform. Versions of Grafana for endpoints prior to 9.1.8 and 8.5.14 could leak authentication tokens to some destination plugins under some conditions. The vulnerability impacts data source and plugin proxy endpoints with authentication tokens. The destination plugin could receive a user's Grafana authentication token. Versions 9.1.8 and 8.5.14 contain a patch for this issue. As a workaround, do not use API keys, JWT authentication

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

CVEListV5grafana/grafana< 8.5.14+1
NVDgrafana/grafana9.0.09.1.8+1
Gogithub.com/grafana_grafana9.0.09.1.8+1

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

5
OSV
Grafana Data source and plugin proxy endpoints leaking authentication tokens to some destination plugins in github.com/grafana/grafana2024-06-05
GHSA
Grafana Data source and plugin proxy endpoints leaking authentication tokens to some destination plugins2024-05-14
OSV
Grafana Data source and plugin proxy endpoints leaking authentication tokens to some destination plugins2024-05-14
CVEList
Grafana data source and plugin proxy endpoints leaking authentication tokens to some destination plugins2022-10-13
OSV
CVE-2022-31130: Grafana is an open source observability and data visualization platform2022-10-13

📋Vendor Advisories

1
Red Hat
grafana: data source and plugin proxy endpoints leaking authentication tokens to some destination plugins2022-10-14
CVE-2022-31130 — Sensitive Information Exposure | cvebase