CVE-2022-31130 Grafana data source and plugin proxy endpoints leaking authentication tokens to some destination plugins

2022-10-1300:00:00

CWE-200

GitHub_M

www.cve.org

grafana

data source

plugin

authentication token

leakage

vulnerability

api keys

jwt authentication

4.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

7.8 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

44.1%

JSON

Grafana is an open source observability and data visualization platform. Versions of Grafana for endpoints prior to 9.1.8 and 8.5.14 could leak authentication tokens to some destination plugins under some conditions. The vulnerability impacts data source and plugin proxy endpoints with authentication tokens. The destination plugin could receive a user’s Grafana authentication token. Versions 9.1.8 and 8.5.14 contain a patch for this issue. As a workaround, do not use API keys, JWT authentication, or any HTTP Header based authentication.

CNA Affected

[
  {
    "vendor": "grafana",
    "product": "grafana",
    "versions": [
      {
        "version": "< 8.5.14",
        "status": "affected"
      },
      {
        "version": ">= 9.0.0, < 9.1.8",
        "status": "affected"
      }
    ]
  }
]