Rapid7 Vulnerability & Exploit Database

FreeBSD: VID-6F6C9420-6297-11ED-9CA2-6C3BE5272ACD (CVE-2022-31130): Grafana -- Data source and plugin proxy endpoints leaking authentication tokens to some destination plugins

Free InsightVM Trial No Credit Card Necessary
Watch Demo See how it all works
Back to Search

FreeBSD: VID-6F6C9420-6297-11ED-9CA2-6C3BE5272ACD (CVE-2022-31130): Grafana -- Data source and plugin proxy endpoints leaking authentication tokens to some destination plugins

Severity
4
CVSS
(AV:L/AC:M/Au:N/C:P/I:P/A:P)
Published
06/26/2022
Created
11/15/2022
Added
11/13/2022
Modified
11/13/2022

Description

Grafana is an open source observability and data visualization platform. Versions of Grafana for endpoints prior to 9.1.8 and 8.5.14 could leak authentication tokens to some destination plugins under some conditions. The vulnerability impacts data source and plugin proxy endpoints with authentication tokens. The destination plugin could receive a user's Grafana authentication token. Versions 9.1.8 and 8.5.14 contain a patch for this issue. As a workaround, do not use API keys, JWT authentication, or any HTTP Header based authentication.

Solution(s)

  • freebsd-upgrade-package-grafana
  • freebsd-upgrade-package-grafana7
  • freebsd-upgrade-package-grafana8
  • freebsd-upgrade-package-grafana9

References

  • CVE-2022-31130

insightVM

Advanced vulnerability management analytics and reporting.
Key Features
Free InsightVM Trial View All Features

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;