Vulnerability Details : CVE-2022-31123
Grafana is an open source observability and data visualization platform. Versions prior to 9.1.8 and 8.5.14 are vulnerable to a bypass in the plugin signature verification. An attacker can convince a server admin to download and successfully run a malicious plugin even though unsigned plugins are not allowed. Versions 9.1.8 and 8.5.14 contain a patch for this issue. As a workaround, do not install plugins downloaded from untrusted sources.
Exploit prediction scoring system (EPSS) score for CVE-2022-31123
Probability of exploitation activity in the next 30 days: 0.06%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 22 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2022-31123
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|
|
7.8
|
HIGH | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
1.8
|
5.9
|
nvd@nist.gov |
|
6.1
|
MEDIUM | CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L |
0.6
|
5.5
|
security-advisories@github.com |
CWE ids for CVE-2022-31123
-
The product does not verify, or incorrectly verifies, the cryptographic signature for data.Assigned by: security-advisories@github.com (Primary)
References for CVE-2022-31123
-
https://github.com/grafana/grafana/releases/tag/v9.1.8
Release 9.1.8 (2022-10-11) · grafana/grafana · GitHubRelease Notes;Third Party Advisory
-
https://security.netapp.com/advisory/ntap-20221124-0002/
CVE-2022-31123 Grafana Vulnerability in NetApp Products | NetApp Product SecurityThird Party Advisory
-
https://github.com/grafana/grafana/security/advisories/GHSA-rhxj-gh46-jvw8
Plugin signature bypass · Advisory · grafana/grafana · GitHubPatch;Third Party Advisory
Products affected by CVE-2022-31123
- cpe:2.3:a:netapp:e-series_performance_analyzer:-:*:*:*:*:*:*:*
- cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*
- cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*