CVE-2022-31130

Grafana is an open source observability and data visualization platform. Versions of Grafana for endpoints prior to 9.1.8 and 8.5.14 could leak authentication tokens to some destination plugins under some conditions. The vulnerability impacts data source and plugin proxy endpoints with authentication tokens. The destination plugin could receive a user's Grafana authentication token. Versions 9.1.8 and 8.5.14 contain a patch for this issue. As a workaround, do not use API keys, JWT authentication, or any HTTP Header based authentication.

CVSS v3.0 7.5 HIGH

7.5^/10

CVSS v3.0 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/grafana/grafana/security/advisories/GHSA-jv32-5578-pxjc	Patch Third Party Advisory
https://github.com/grafana/grafana/releases/tag/v9.1.8	Release Notes Third Party Advisory
https://github.com/grafana/grafana/commit/4dd56e4dabce10007bf4ba1059bf54178c35b177	Patch Third Party Advisory
https://github.com/grafana/grafana/commit/9da278c044ba605eb5a1886c48df9a2cb0d3885f	Patch Third Party Advisory

Advertisement

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:grafana:grafana::::::::
	cpe:2.3:a:grafana:grafana::::::::

Information

Published : 2022-10-13 16:15

Updated : 2022-10-17 06:31

NVD link : CVE-2022-31130

Mitre link : CVE-2022-31130

JSON object : View

CWE

CWE-522

Insufficiently Protected Credentials

Advertisement

Products Affected

grafana

grafana

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://github.com/grafana/grafana/security/advisories/GHSA-jv32-5578-pxjc", "name": "https://github.com/grafana/grafana/security/advisories/GHSA-jv32-5578-pxjc", "tags": ["Patch", "Third Party Advisory"], "refsource": "CONFIRM"}, {"url": "https://github.com/grafana/grafana/releases/tag/v9.1.8", "name": "https://github.com/grafana/grafana/releases/tag/v9.1.8", "tags": ["Release Notes", "Third Party Advisory"], "refsource": "MISC"}, {"url": "https://github.com/grafana/grafana/commit/4dd56e4dabce10007bf4ba1059bf54178c35b177", "name": "https://github.com/grafana/grafana/commit/4dd56e4dabce10007bf4ba1059bf54178c35b177", "tags": ["Patch", "Third Party Advisory"], "refsource": "MISC"}, {"url": "https://github.com/grafana/grafana/commit/9da278c044ba605eb5a1886c48df9a2cb0d3885f", "name": "https://github.com/grafana/grafana/commit/9da278c044ba605eb5a1886c48df9a2cb0d3885f", "tags": ["Patch", "Third Party Advisory"], "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "Grafana is an open source observability and data visualization platform. Versions of Grafana for endpoints prior to 9.1.8 and 8.5.14 could leak authentication tokens to some destination plugins under some conditions. The vulnerability impacts data source and plugin proxy endpoints with authentication tokens. The destination plugin could receive a user's Grafana authentication token. Versions 9.1.8 and 8.5.14 contain a patch for this issue. As a workaround, do not use API keys, JWT authentication, or any HTTP Header based authentication."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-522"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2022-31130", "ASSIGNER": "security-advisories@github.com"}}, "impact": {"baseMetricV3": {"cvssV3": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}}, "publishedDate": "2022-10-13T23:15Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "9.1.8", "versionStartIncluding": "9.0.0"}, {"cpe23Uri": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "8.5.14"}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2022-10-17T13:31Z"}