7.5

CVE-2022-31130

Grafana data source and plugin proxy endpoints leaking authentication tokens to some destination plugins

Grafana is an open source observability and data visualization platform. Versions of Grafana for endpoints prior to 9.1.8 and 8.5.14 could leak authentication tokens to some destination plugins under some conditions. The vulnerability impacts data source and plugin proxy endpoints with authentication tokens. The destination plugin could receive a user's Grafana authentication token. Versions 9.1.8 and 8.5.14 contain a patch for this issue. As a workaround, do not use API keys, JWT authentication, or any HTTP Header based authentication.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
GrafanaGrafana Version < 8.5.14
GrafanaGrafana Version >= 9.0.0 < 9.1.8
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.96% 0.57
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
security-advisories@github.com 4.9 1.2 3.6
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

CWE-522 Insufficiently Protected Credentials

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

https://github.com/grafana/grafana/releases/tag/v9.1.8
Third Party Advisory
Release Notes
https://github.com/grafana/grafana/commit/4dd56e4dabce10007bf4ba1059bf54178c35b177
Patch
Third Party Advisory
https://github.com/grafana/grafana/commit/9da278c044ba605eb5a1886c48df9a2cb0d3885f
Patch
Third Party Advisory
https://github.com/grafana/grafana/security/advisories/GHSA-jv32-5578-pxjc
Patch
Third Party Advisory