CVE-2022-31130
published 2022-10-13CVE-2022-31130: Grafana is an open source observability and data visualization platform. Versions of Grafana for endpoints prior to 9.1.8 and 8.5.14 could leak authentication…
PriorityP346high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.96%
57.2th percentile
Grafana is an open source observability and data visualization platform. Versions of Grafana for endpoints prior to 9.1.8 and 8.5.14 could leak authentication tokens to some destination plugins under some conditions. The vulnerability impacts data source and plugin proxy endpoints with authentication tokens. The destination plugin could receive a user's Grafana authentication token. Versions 9.1.8 and 8.5.14 contain a patch for this issue. As a workaround, do not use API keys, JWT authentication, or any HTTP Header based authentication.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | grafana_grafana | >= 7.0.0 < 8.5.14 | 8.5.14 |
| github.com | grafana_grafana | >= 9.0.0 < 9.1.8 | 9.1.8 |
| grafana | grafana | < 8.5.14 | 8.5.14 |
| grafana | grafana | — | — |
| grafana | grafana | >= 9.0.0 < 9.1.8 | 9.1.8 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
ghsa7.5HIGH
osv7.5HIGH
vendor_redhat4.9MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Grafana Data source and plugin proxy endpoints leaking authentication tokens to some destination plugins in github.com/grafana/grafana
osv·2024-06-05
CVE-2022-31130 Grafana Data source and plugin proxy endpoints leaking authentication tokens to some destination plugins in github.com/grafana/grafana
Grafana Data source and plugin proxy endpoints leaking authentication tokens to some destination plugins in github.com/grafana/grafana
Grafana Data source and plugin proxy endpoints leaking authentication tokens to some destination plugins in github.com/grafana/grafana.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affected modules and versions are: github.com/grafana/grafana from v7.0.0 before v8.5.14, from v9.0.0 before v9.1.8.
GHSA
Grafana Data source and plugin proxy endpoints leaking authentication tokens to some destination plugins
ghsa·2024-05-14·CVSS 7.5
CVE-2022-31130 [HIGH] CWE-200 Grafana Data source and plugin proxy endpoints leaking authentication tokens to some destination plugins
Grafana Data source and plugin proxy endpoints leaking authentication tokens to some destination plugins
Today we are releasing Grafana 9.2. Alongside with new features and other bug fixes, this release includes a Moderate severity security fix for CVE-2022-31130
We are also releasing security patches for Grafana 9.1.8 and Grafana 8.5.14 to fix these issues.
Release 9.2, latest release, also containing security fix:
- [Download Grafana 9.2](https://grafana.com/grafana/download/9.2)
Release 9.1.8, only containing security fix:
- [Download Grafana 9.1.8](https://grafana.com/grafana/download/9.1.8)
Release 8.5.14, only containing security fix:
- [Download Grafana 8.5.14](https://grafana.com/grafana/download/8.5.14)
Appropriate patches have been applied to [Grafana Cloud](https://graf
OSV
Grafana Data source and plugin proxy endpoints leaking authentication tokens to some destination plugins
osv·2024-05-14·CVSS 7.5
CVE-2022-31130 [HIGH] Grafana Data source and plugin proxy endpoints leaking authentication tokens to some destination plugins
Grafana Data source and plugin proxy endpoints leaking authentication tokens to some destination plugins
Today we are releasing Grafana 9.2. Alongside with new features and other bug fixes, this release includes a Moderate severity security fix for CVE-2022-31130
We are also releasing security patches for Grafana 9.1.8 and Grafana 8.5.14 to fix these issues.
Release 9.2, latest release, also containing security fix:
- [Download Grafana 9.2](https://grafana.com/grafana/download/9.2)
Release 9.1.8, only containing security fix:
- [Download Grafana 9.1.8](https://grafana.com/grafana/download/9.1.8)
Release 8.5.14, only containing security fix:
- [Download Grafana 8.5.14](https://grafana.com/grafana/download/8.5.14)
Appropriate patches have been applied to [Grafana Cloud](https://graf
OSV
CVE-2022-31130: Grafana is an open source observability and data visualization platform
osv·2022-10-13·CVSS 7.5
CVE-2022-31130 [HIGH] CVE-2022-31130: Grafana is an open source observability and data visualization platform
Grafana is an open source observability and data visualization platform. Versions of Grafana for endpoints prior to 9.1.8 and 8.5.14 could leak authentication tokens to some destination plugins under some conditions. The vulnerability impacts data source and plugin proxy endpoints with authentication tokens. The destination plugin could receive a user's Grafana authentication token. Versions 9.1.8 and 8.5.14 contain a patch for this issue. As a workaround, do not use API keys, JWT authentication, or any HTTP Header based authentication.
Red Hat
grafana: data source and plugin proxy endpoints leaking authentication tokens to some destination plugins
vendor_redhat·2022-10-14·CVSS 4.9
CVE-2022-31130 [MEDIUM] grafana: data source and plugin proxy endpoints leaking authentication tokens to some destination plugins
grafana: data source and plugin proxy endpoints leaking authentication tokens to some destination plugins
Grafana is an open source observability and data visualization platform. Versions of Grafana for endpoints prior to 9.1.8 and 8.5.14 could leak authentication tokens to some destination plugins under some conditions. The vulnerability impacts data source and plugin proxy endpoints with authentication tokens. The destination plugin could receive a user's Grafana authentication token. Versions 9.1.8 and 8.5.14 contain a patch for this issue. As a workaround, do not use API keys, JWT authentication, or any HTTP Header based authentication.
A flaw was found in Grafana's use of the GitLab data source plugin, leaking the API key to gitlab. This can result in the destination plugin receivin
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/grafana/grafana/commit/4dd56e4dabce10007bf4ba1059bf54178c35b177https://github.com/grafana/grafana/commit/9da278c044ba605eb5a1886c48df9a2cb0d3885fhttps://github.com/grafana/grafana/releases/tag/v9.1.8https://github.com/grafana/grafana/security/advisories/GHSA-jv32-5578-pxjchttps://github.com/grafana/grafana/commit/4dd56e4dabce10007bf4ba1059bf54178c35b177https://github.com/grafana/grafana/commit/9da278c044ba605eb5a1886c48df9a2cb0d3885fhttps://github.com/grafana/grafana/releases/tag/v9.1.8https://github.com/grafana/grafana/security/advisories/GHSA-jv32-5578-pxjc
2022-10-13
Published