CVE-2022-31123 - Vulnerability Details - OpenCVE

Grafana is an open source observability and data visualization platform. Versions prior to 9.1.8 and 8.5.14 are vulnerable to a bypass in the plugin signature verification. An attacker can convince a server admin to download and successfully run a malicious plugin even though unsigned plugins are not allowed. Versions 9.1.8 and 8.5.14 contain a patch for this issue. As a workaround, do not install plugins downloaded from untrusted sources.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Grafana	Grafana
Netapp	E-series Performance Analyzer
Redhat	Ceph Storage Enterprise Linux

Configuration 1 [-]

OR	cpe:2.3:a:grafana:grafana::::::::
	cpe:2.3:a:grafana:grafana::::::::

Configuration 2 [-]

cpe:2.3:a:netapp:e-series_performance_analyzer:-:*:*:*:*:*:*:*

Package	CPE	Advisory	Released Date
Red Hat Ceph Storage 6.1
rhceph/rhceph-6-dashboard-rhel9:6-75	cpe:/a:redhat:ceph_storage:6.1::el9	RHSA-2023:3642	2023-06-15T00:00:00Z
Red Hat Enterprise Linux 9
grafana-0:9.2.10-7.el9_3	cpe:/a:redhat:enterprise_linux:9	RHSA-2023:6420	2023-11-07T00:00:00Z

References

Link	Providers
https://github.com/grafana/grafana/releases/tag/v9.1.8
https://github.com/grafana/grafana/security/advisories/GHSA-rhxj-gh46-jvw8
https://nvd.nist.gov/vuln/detail/CVE-2022-31123
https://security.netapp.com/advisory/ntap-20221124-0002/
https://www.cve.org/CVERecord?id=CVE-2022-31123

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2022-10-13T00:00:00

Updated: 2024-08-03T07:11:39.205Z

Reserved: 2022-05-18T00:00:00

Link: CVE-2022-31123

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-10-13T22:15:10.050

Modified: 2024-11-21T07:03:56.640

Link: CVE-2022-31123

Redhat

Severity : Moderate

Publid Date: 2022-10-14T00:00:00Z

Links: CVE-2022-31123 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-31123", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "dateUpdated": "2024-08-03T07:11:39.205Z", "dateReserved": "2022-05-18T00:00:00", "datePublished": "2022-10-13T00:00:00"}, "containers": {"cna": {"title": "Grafana plugin signature bypass vulnerability", "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2022-11-24T00:00:00"}, "descriptions": [{"lang": "en", "value": "Grafana is an open source observability and data visualization platform. Versions prior to 9.1.8 and 8.5.14 are vulnerable to a bypass in the plugin signature verification. An attacker can convince a server admin to download and successfully run a malicious plugin even though unsigned plugins are not allowed. Versions 9.1.8 and 8.5.14 contain a patch for this issue. As a workaround, do not install plugins downloaded from untrusted sources."}], "affected": [{"vendor": "grafana", "product": "grafana", "versions": [{"version": "< 8.5.14", "status": "affected"}, {"version": ">= 9.0.0, < 9.1.8", "status": "affected"}]}], "references": [{"url": "https://github.com/grafana/grafana/security/advisories/GHSA-rhxj-gh46-jvw8"}, {"url": "https://github.com/grafana/grafana/releases/tag/v9.1.8"}, {"url": "https://security.netapp.com/advisory/ntap-20221124-0002/"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "LOW", "baseScore": 6.1, "baseSeverity": "MEDIUM"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-347: Improper Verification of Cryptographic Signature", "cweId": "CWE-347"}]}], "source": {"advisory": "GHSA-rhxj-gh46-jvw8", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T07:11:39.205Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/grafana/grafana/security/advisories/GHSA-rhxj-gh46-jvw8", "tags": ["x_transferred"]}, {"url": "https://github.com/grafana/grafana/releases/tag/v9.1.8", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20221124-0002/", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*", "matchCriteriaId": "FDAE1A84-3ACC-4651-9FF8-B73F958DC2AC", "versionEndExcluding": "8.5.14", "versionStartIncluding": "7.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*", "matchCriteriaId": "E8E1ACC7-F43B-4395-A1FD-44CAEB43430D", "versionEndExcluding": "9.1.8", "versionStartIncluding": "9.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:netapp:e-series_performance_analyzer:-:*:*:*:*:*:*:*", "matchCriteriaId": "24B8DB06-590A-4008-B0AB-FCD1401C77C6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Grafana is an open source observability and data visualization platform. Versions prior to 9.1.8 and 8.5.14 are vulnerable to a bypass in the plugin signature verification. An attacker can convince a server admin to download and successfully run a malicious plugin even though unsigned plugins are not allowed. Versions 9.1.8 and 8.5.14 contain a patch for this issue. As a workaround, do not install plugins downloaded from untrusted sources."}, {"lang": "es", "value": "Grafana es una plataforma de c\u00f3digo abierto de observabilidad y visualizaci\u00f3n de datos. Las versiones anteriores a 9.1.8 y 8.5.14, son vulnerables a una omisi\u00f3n en la verificaci\u00f3n de la firma del plugin. Un atacante puede convencer a un administrador del servidor para que descargue y ejecute con \u00e9xito un plugin malicioso a pesar de que los plugins sin firma no est\u00e1n permitidos. Las versiones 9.1.8 y 8.5.14 contienen un parche para este problema. Como mitigaci\u00f3n, no instale plugins descargados de fuentes no confiables"}], "id": "CVE-2022-31123", "lastModified": "2024-11-21T07:03:56.640", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 0.6, "impactScore": 5.5, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-10-13T22:15:10.050", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/grafana/grafana/releases/tag/v9.1.8"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/grafana/grafana/security/advisories/GHSA-rhxj-gh46-jvw8"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20221124-0002/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/grafana/grafana/releases/tag/v9.1.8"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/grafana/grafana/security/advisories/GHSA-rhxj-gh46-jvw8"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20221124-0002/"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-347"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2023:3642", "cpe": "cpe:/a:redhat:ceph_storage:6.1::el9", "package": "rhceph/rhceph-6-dashboard-rhel9:6-75", "product_name": "Red Hat Ceph Storage 6.1", "release_date": "2023-06-15T00:00:00Z"}, {"advisory": "RHSA-2023:6420", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "grafana-0:9.2.10-7.el9_3", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2023-11-07T00:00:00Z"}], "bugzilla": {"description": "grafana: plugin signature bypass", "id": "2131147", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2131147"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.1", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L", "status": "verified"}, "details": ["Grafana is an open source observability and data visualization platform. Versions prior to 9.1.8 and 8.5.14 are vulnerable to a bypass in the plugin signature verification. An attacker can convince a server admin to download and successfully run a malicious plugin even though unsigned plugins are not allowed. Versions 9.1.8 and 8.5.14 contain a patch for this issue. As a workaround, do not install plugins downloaded from untrusted sources.", "A flaw was found in the Grafana web application, where it is possible to install plugins which are not digitally signed. An admin could install unsigned plugins, which may contain malicious code."], "name": "CVE-2022-31123", "package_state": [{"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Affected", "package_name": "rhacm2/acm-grafana-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:quarkus:2", "fix_state": "Not affected", "package_name": "grafana", "product_name": "Red Hat build of Quarkus"}, {"cpe": "cpe:/a:redhat:ceph_storage:3", "fix_state": "Affected", "package_name": "grafana", "product_name": "Red Hat Ceph Storage 3"}, {"cpe": "cpe:/a:redhat:ceph_storage:4", "fix_state": "Affected", "package_name": "rhceph/rhceph-4-dashboard-rhel8", "product_name": "Red Hat Ceph Storage 4"}, {"cpe": "cpe:/a:redhat:ceph_storage:5", "fix_state": "Affected", "package_name": "rhceph/rhceph-5-dashboard-rhel8", "product_name": "Red Hat Ceph Storage 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Will not fix", "package_name": "openshift3/grafana", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "openshift4/ose-grafana", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Affected", "package_name": "grafana", "product_name": "Red Hat Storage 3"}], "public_date": "2022-10-14T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-31123\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-31123\nhttps://github.com/grafana/grafana/security/advisories/GHSA-rhxj-gh46-jvw8"], "threat_severity": "Moderate"}