7.8
CVE-2022-31123
- EPSS 0.25%
- Veröffentlicht 13.10.2022 22:15:10
- Zuletzt bearbeitet 21.11.2024 07:03:56
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
Grafana plugin signature bypass vulnerability
Grafana is an open source observability and data visualization platform. Versions prior to 9.1.8 and 8.5.14 are vulnerable to a bypass in the plugin signature verification. An attacker can convince a server admin to download and successfully run a malicious plugin even though unsigned plugins are not allowed. Versions 9.1.8 and 8.5.14 contain a patch for this issue. As a workaround, do not install plugins downloaded from untrusted sources.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.25% | 0.159 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.8 | 1.8 | 5.9 |
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
|
| security-advisories@github.com | 6.1 | 0.6 | 5.5 |
CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L
|
CWE-347 Improper Verification of Cryptographic Signature
The product does not verify, or incorrectly verifies, the cryptographic signature for data.
https://github.com/grafana/grafana/releases/tag/v9.1.8
https://github.com/grafana/grafana/security/advisories/GHSA-rhxj-gh46-jvw8
https://security.netapp.com/advisory/ntap-20221124-0002/