Miggo Logo

CVE-2022-31123: Grafana Plugin signature bypass

6.1

CVSS Score
3.1

Basic Information

EPSS Score
0.00429%
Published
5/14/2024
Updated
11/18/2024
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/grafana/grafanago>= 9.0.0, < 9.1.89.1.8
github.com/grafana/grafanago>= 7.0.0, < 8.5.148.5.14

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The provided vulnerability information describes a plugin signature bypass via versioning flaws (CWE-347) but does not include concrete code references, commit diffs, or specific function names. While the core issue likely resides in plugin signature verification logic (e.g., functions handling plugin version validation and cryptographic checks), the lack of explicit technical details about the flawed code paths or patched functions in the advisory materials prevents high-confidence identification of specific vulnerable functions. The fix versions (9.1.8/8.5.14) imply changes to the plugin validation workflow, but without access to the actual code changes, we cannot definitively map the vulnerability to specific functions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

To**y w* *r* r*l**sin* *r***n* *.*. *lon*si** wit* n*w ***tur*s *n* ot**r *u* *ix*s, t*is r*l**s* in*lu**s * Mo**r*t* s*v*rity s**urity *ix *or *V*-****-***** W* *r* *lso r*l**sin* s**urity p*t***s *or *r***n* *.*.* *n* *r***n* *.*.** to *ix t**s* i

Reasoning

T** provi*** vuln*r**ility in*orm*tion **s*ri**s * plu*in si*n*tur* *yp*ss vi* v*rsionin* *l*ws (*W*-***) *ut *o*s not in*lu** *on*r*t* *o** r***r*n**s, *ommit *i**s, or sp**i*i* *un*tion n*m*s. W*il* t** *or* issu* lik*ly r*si**s in plu*in si*n*tur*