Vulnerability Details : CVE-2022-31123
Grafana is an open source observability and data visualization platform. Versions prior to 9.1.8 and 8.5.14 are vulnerable to a bypass in the plugin signature verification. An attacker can convince a server admin to download and successfully run a malicious plugin even though unsigned plugins are not allowed. Versions 9.1.8 and 8.5.14 contain a patch for this issue. As a workaround, do not install plugins downloaded from untrusted sources.
Products affected by CVE-2022-31123
- cpe:2.3:a:netapp:e-series_performance_analyzer:-:*:*:*:*:*:*:*
- cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*
- cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-31123
0.08%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 32 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-31123
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.8
|
HIGH | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
1.8
|
5.9
|
NIST | |
6.1
|
MEDIUM | CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L |
0.6
|
5.5
|
GitHub, Inc. |
CWE ids for CVE-2022-31123
-
The product does not verify, or incorrectly verifies, the cryptographic signature for data.Assigned by: security-advisories@github.com (Primary)
References for CVE-2022-31123
-
https://github.com/grafana/grafana/releases/tag/v9.1.8
Release 9.1.8 (2022-10-11) · grafana/grafana · GitHubRelease Notes;Third Party Advisory
-
https://security.netapp.com/advisory/ntap-20221124-0002/
CVE-2022-31123 Grafana Vulnerability in NetApp Products | NetApp Product SecurityThird Party Advisory
-
https://github.com/grafana/grafana/security/advisories/GHSA-rhxj-gh46-jvw8
Plugin signature bypass · Advisory · grafana/grafana · GitHubPatch;Third Party Advisory
Jump to