Vulnerability Details : CVE-2022-31130
Grafana is an open source observability and data visualization platform. Versions of Grafana for endpoints prior to 9.1.8 and 8.5.14 could leak authentication tokens to some destination plugins under some conditions. The vulnerability impacts data source and plugin proxy endpoints with authentication tokens. The destination plugin could receive a user's Grafana authentication token. Versions 9.1.8 and 8.5.14 contain a patch for this issue. As a workaround, do not use API keys, JWT authentication, or any HTTP Header based authentication.
Vulnerability category: Information leak
Products affected by CVE-2022-31130
- cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*
- cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-31130
0.11%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 43 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-31130
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST | |
4.9
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N |
1.2
|
3.6
|
GitHub, Inc. |
CWE ids for CVE-2022-31130
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: security-advisories@github.com (Secondary)
-
The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.Assigned by: nvd@nist.gov (Primary)
References for CVE-2022-31130
-
https://github.com/grafana/grafana/releases/tag/v9.1.8
Release 9.1.8 (2022-10-11) · grafana/grafana · GitHubRelease Notes;Third Party Advisory
-
https://github.com/grafana/grafana/commit/4dd56e4dabce10007bf4ba1059bf54178c35b177
Security: Make proxy endpoints not leak sensitive HTTP headers · grafana/grafana@4dd56e4 · GitHubPatch;Third Party Advisory
-
https://github.com/grafana/grafana/commit/9da278c044ba605eb5a1886c48df9a2cb0d3885f
Plugins: Make proxy endpoints not leak sensitive HTTP headers · grafana/grafana@9da278c · GitHubPatch;Third Party Advisory
-
https://github.com/grafana/grafana/security/advisories/GHSA-jv32-5578-pxjc
Data source and plugin proxy endpoints leaking authentication tokens to some destination plugins · Advisory · grafana/grafana · GitHubPatch;Third Party Advisory
Jump to