CVE-2022-31130 — MEDIUM (4.9)

Q: How severe is CVE-2022-31130?

CVE-2022-31130 has been rated MEDIUM with a CVSS base score of 4.9/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2022-31130?

Check the references section above for vendor advisories and patch information. Affected products include: Grafana Grafana.

Vulnerability Description

Grafana is an open source observability and data visualization platform. Versions of Grafana for endpoints prior to 9.1.8 and 8.5.14 could leak authentication tokens to some destination plugins under some conditions. The vulnerability impacts data source and plugin proxy endpoints with authentication tokens. The destination plugin could receive a user's Grafana authentication token. Versions 9.1.8 and 8.5.14 contain a patch for this issue. As a workaround, do not use API keys, JWT authentication, or any HTTP Header based authentication.

CVSS Score

4.9

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Grafana	Grafana	< 8.5.14

Related Weaknesses (CWE)

CWE-522 CWE-200

References

https://github.com/grafana/grafana/commit/4dd56e4dabce10007bf4ba1059bf54178c35b1PatchThird Party Advisory
https://github.com/grafana/grafana/commit/9da278c044ba605eb5a1886c48df9a2cb0d388PatchThird Party Advisory
https://github.com/grafana/grafana/releases/tag/v9.1.8Release NotesThird Party Advisory
https://github.com/grafana/grafana/security/advisories/GHSA-jv32-5578-pxjcPatchThird Party Advisory
https://github.com/grafana/grafana/commit/4dd56e4dabce10007bf4ba1059bf54178c35b1PatchThird Party Advisory
https://github.com/grafana/grafana/commit/9da278c044ba605eb5a1886c48df9a2cb0d388PatchThird Party Advisory
https://github.com/grafana/grafana/releases/tag/v9.1.8Release NotesThird Party Advisory
https://github.com/grafana/grafana/security/advisories/GHSA-jv32-5578-pxjcPatchThird Party Advisory

FAQ

What is CVE-2022-31130?

CVE-2022-31130 is a vulnerability with a CVSS score of 4.9 (MEDIUM). Grafana is an open source observability and data visualization platform. Versions of Grafana for endpoints prior to 9.1.8 and 8.5.14 could leak authentication tokens to some destination plugins under ...

How severe is CVE-2022-31130?

CVE-2022-31130 has been rated MEDIUM with a CVSS base score of 4.9/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2022-31130?

Check the references section above for vendor advisories and patch information. Affected products include: Grafana Grafana.