6.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-31123

GHSA ID

GHSA-rhxj-gh46-jvw8

EPSS Score

0.00429%

CWE

CWE-347

Published

5/14/2024

Updated

11/18/2024

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-31123

CVE-2022-31123:
Grafana Plugin signature bypass

Today we are releasing Grafana 9.2. Alongside with new features and other bug fixes, this release includes a Moderate severity security fix for CVE-2022-31123

We are also releasing security patches for Grafana 9.1.8 and Grafana 8.5.14 to fix these issues.

Release 9.2, latest release, also containing security fix:

Download Grafana 9.2

Release 9.1.8, only containing security fix:

Download Grafana 9.1.8

Release 8.5.14, only containing security fix:

Download Grafana 8.5.14

Appropriate patches have been applied to Grafana Cloud and as always, we closely coordinated with all cloud providers licensed to offer Grafana Pro. They have received early notification under embargo and confirmed that their offerings are secure at the time of this announcement. This is applicable to Amazon Managed Grafana and Azure's Grafana as a service offering.

CVE-2022-31123

Summary

On July 4th as a result of an internal security audit we have discovered a bypass in the plugin signature verification by exploiting a versioning flaw.

We believe that this vulnerability is rated at CVSS 6.1 (CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L).

Impact

An attacker can convince a server admin to download and successfully run a malicious plugin even though unsigned plugins are not allowed.

Impacted versions

All installations for Grafana versions <=9.x, <=8.x, <=7.x

Solutions and mitigations

To fully address CVE-2022-31123 please upgrade your Grafana instances. Appropriate patches have been applied to Grafana Cloud.

Reporting security issues

If you think you have found a security vulnerability, please send a report to security@grafana.com. This address can be used for all of Grafana Labs' open source and commercial products (including, but not limited to Grafana, Grafana Cloud, Grafana Enterprise, and grafana.com). We can accept only vulnerability reports at this address. We would prefer that you encrypt your message to us by using our PGP key. The key fingerprint is

F988 7BEA 027A 049F AE8E 5CAA D125 8932 BE24 C5CA

The key is available from keyserver.ubuntu.com.

Security announcements

We maintain a security category on our blog, where we will always post a summary, remediation, and mitigation details for any patch containing security fixes.

You can also subscribe to our RSS feed.

(GitHub Advisory)

6.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-31123

GHSA ID

GHSA-rhxj-gh46-jvw8

EPSS Score

0.00429%

CWE

CWE-347

Published

5/14/2024

Updated

11/18/2024

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/grafana/grafana	go	>= 9.0.0, < 9.1.8	9.1.8
github.com/grafana/grafana	go	>= 7.0.0, < 8.5.14	8.5.14

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The provided vulnerability information describes a plugin signature bypass via versioning flaws (CWE-347) but does not include concrete code references, commit diffs, or specific function names. While the core issue likely resides in plugin signature verification logic (e.g., functions handling plugin version validation and cryptographic checks), the lack of explicit technical details about the flawed code paths or patched functions in the advisory materials prevents high-confidence identification of specific vulnerable functions. The fix versions (9.1.8/8.5.14) imply changes to the plugin validation workflow, but without access to the actual code changes, we cannot definitively map the vulnerability to specific functions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

To**y w* *r* r*l**sin* *r***n* *.*. *lon*si** wit* n*w ***tur*s *n* ot**r *u* *ix*s, t*is r*l**s* in*lu**s * Mo**r*t* s*v*rity s**urity *ix *or *V*-****-***** W* *r* *lso r*l**sin* s**urity p*t***s *or *r***n* *.*.* *n* *r***n* *.*.** to *ix t**s* i

Reasoning

T** provi*** vuln*r**ility in*orm*tion **s*ri**s * plu*in si*n*tur* *yp*ss vi* v*rsionin* *l*ws (*W*-***) *ut *o*s not in*lu** *on*r*t* *o** r***r*n**s, *ommit *i**s, or sp**i*i* *un*tion n*m*s. W*il* t** *or* issu* lik*ly r*si**s in plu*in si*n*tur*

6.1

Basic Information

Concerned about an active attack path?

CVE-2022-31123: Grafana Plugin signature bypass

CVE-2022-31123

Summary

Impact

Impacted versions

Solutions and mitigations

Reporting security issues

Security announcements

6.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2022-31123:
Grafana Plugin signature bypass

Vulnerability Intelligence
Miggo AI