Vulnerability Details : CVE-2022-31097
Grafana is an open-source platform for monitoring and observability. Versions on the 8.x and 9.x branch prior to 9.0.3, 8.5.9, 8.4.10, and 8.3.10 are vulnerable to stored cross-site scripting via the Unified Alerting feature of Grafana. An attacker can exploit this vulnerability to escalate privilege from editor to admin by tricking an authenticated admin to click on a link. Versions 9.0.3, 8.5.9, 8.4.10, and 8.3.10 contain a patch. As a workaround, it is possible to disable alerting or use legacy alerting.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2022-31097
- cpe:2.3:a:netapp:e-series_performance_analyzer:-:*:*:*:*:*:*:*
- cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*
- cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*
- cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*
- cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-31097
0.55%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 77 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-31097
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
8.7
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N |
2.3
|
5.8
|
NIST | |
7.3
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N |
2.1
|
5.2
|
GitHub, Inc. |
CWE ids for CVE-2022-31097
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by:
- nvd@nist.gov (Primary)
- security-advisories@github.com (Secondary)
References for CVE-2022-31097
-
https://grafana.com/docs/grafana/next/release-notes/release-notes-8-4-10/
Release notes for Grafana 8.4.10 | Grafana documentationRelease Notes;Vendor Advisory
-
https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-5-9/
404 Page not found | Grafana LabsRelease Notes;Vendor Advisory
-
https://grafana.com/docs/grafana/latest/release-notes/release-notes-9-0-3/
Release notes for Grafana 9.0.3 | Grafana documentationRelease Notes;Vendor Advisory
-
https://security.netapp.com/advisory/ntap-20220901-0010/
July 2022 Grafana Vulnerabilities in NetApp Products | NetApp Product SecurityThird Party Advisory
-
https://github.com/grafana/grafana/security/advisories/GHSA-vw7q-p2qg-4m5f
Stored XSS in Unified Alerting · Advisory · grafana/grafana · GitHubRelease Notes;Third Party Advisory
Jump to