CVE-2022-31123
Aliases:GHSA-rhxj-gh46-jvw8BIT-grafana-2022-31123GO-2024-2855
Advisory lineage Upstream: 0 Downstream: 8
Modified
Published: 13 Oct 2022, 00:00
Last modified:28 Jan 2026, 04:55
Vulnerability Summary
Overall Risk (default)
medium
31/100 CVSS Score
7.8 HIGH
v3.1 (nvd)
EPSS Score
0.01% LOW
0% probability 0.00%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
13 Oct 2022, 00:00
Published
Vulnerability first disclosed
28 Jan 2026, 04:55
Last Modified
Vulnerability information updated
Description
Grafana is an open source observability and data visualization platform. Versions prior to 9.1.8 and 8.5.14 are vulnerable to a bypass in the plugin signature verification. An attacker can convince a server admin to download and successfully run a malicious plugin even though unsigned plugins are not allowed. Versions 9.1.8 and 8.5.14 contain a patch for this issue. As a workaround, do not install plugins downloaded from untrusted sources.
CVSS Metrics
- v4.0•HIGH•Score: 8.4CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
- v3.1•MEDIUM•Score: 6.1CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L
- v3.1•HIGH•Score: 7.8CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Trends
Current EPSS score: 0.01%• Percentile: 1%
Techniques & Countermeasures
- CWE-347•Improper Verification of Cryptographic Signature
The product does not verify, or incorrectly verifies, the cryptographic signature for data.
Affected Systems
- github.com/grafana•grafana
≥ 9.0.0, < 9.1.8 | ≥ 7.0.0, < 8.5.14 | all
- grafana•grafana
< 8.5.14 | ≥ 7.0.0, < 8.5.14 | ≥ 9.0.0, < 9.1.8
- netapp•e-series_performance_analyzer
na
References (6)
- https://github.com/grafana/grafana/security/advisories/GHSA-rhxj-gh46-jvw8
- https://github.com/grafana/grafana/releases/tag/v9.1.8
- https://security.netapp.com/advisory/ntap-20221124-0002/
- https://nvd.nist.gov/vuln/detail/CVE-2022-31123
- https://github.com/grafana/grafana
- https://security.netapp.com/advisory/ntap-20221124-0002