Vulnerability Details : CVE-2022-31176
Grafana Image Renderer is a Grafana backend plugin that handles rendering of panels & dashboards to PNGs using a headless browser (Chromium/Chrome). An internal security review identified an unauthorized file disclosure vulnerability. It is possible for a malicious user to retrieve unauthorized files under some network conditions or via a fake datasource (if user has admin permissions in Grafana). All Grafana installations should be upgraded to version 3.6.1 as soon as possible. As a workaround it is possible to [disable HTTP remote rendering](https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#plugingrafana-image-renderer).
Vulnerability category: Information leak
Products affected by CVE-2022-31176
- cpe:2.3:a:grafana:grafana-image-renderer:*:*:*:*:*:grafana:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-31176
0.26%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 66 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-31176
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
8.1
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H |
2.8
|
5.2
|
NIST | |
8.3
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H |
2.8
|
5.5
|
GitHub, Inc. |
CWE ids for CVE-2022-31176
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: security-advisories@github.com (Secondary)
-
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.Assigned by: nvd@nist.gov (Primary)
References for CVE-2022-31176
-
https://security.netapp.com/advisory/ntap-20221209-0004/
CVE-2022-31176 Grafana Vulnerability in NetApp Products | NetApp Product SecurityThird Party Advisory
-
https://github.com/grafana/grafana-image-renderer/security/advisories/GHSA-2cfh-233g-m4c5
Grafana Image Renderer leaking files · Advisory · grafana/grafana-image-renderer · GitHubMitigation;Third Party Advisory
-
https://github.com/grafana/grafana-image-renderer/pull/364
Security: Add support for auth token by joanlopez · Pull Request #364 · grafana/grafana-image-renderer · GitHubIssue Tracking;Patch;Third Party Advisory
Jump to