CVE-2022-31123: Grafana Plugin signature bypass
6.1
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.00429%
CWE
Published
5/14/2024
Updated
11/18/2024
KEV Status
No
Technology
Go
Technical Details
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
github.com/grafana/grafana | go | >= 9.0.0, < 9.1.8 | 9.1.8 |
github.com/grafana/grafana | go | >= 7.0.0, < 8.5.14 | 8.5.14 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The provided vulnerability information describes a plugin signature bypass via versioning flaws (CWE-347) but does not include concrete code references, commit diffs, or specific function names. While the core issue likely resides in plugin signature verification logic (e.g., functions
handling plugin version validation and cryptographic checks), the lack of explicit technical details about the flawed code paths or patched functions
in the advisory materials prevents high-confidence identification of specific vulnerable functions
. The fix versions (9.1.8/8.5.14) imply changes to the plugin validation workflow, but without access to the actual code changes, we cannot definitively map the vulnerability to specific functions
.