Bug 2131147 (CVE-2022-31123) - CVE-2022-31123 grafana: plugin signature bypass
Summary: CVE-2022-31123 grafana: plugin signature bypass
Keywords:
Status: NEW
Alias: CVE-2022-31123
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2131187 2131188 2131261 2133062 2133063 2133064 2134708 2134937
Blocks: 2131159
TreeView+ depends on / blocked
 
Reported: 2022-09-30 05:51 UTC by TEJ RATHI
Modified: 2024-07-20 08:28 UTC (History)
37 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:3642 0 None None None 2023-06-15 16:01:11 UTC
Red Hat Product Errata RHSA-2023:6420 0 None None None 2023-11-07 08:16:20 UTC

Description TEJ RATHI 2022-09-30 05:51:36 UTC 
CVE-2022-31123: Plugin signature bypass
 
It is possible to bypass plugin signatures by exploiting a versioning flaw in Grafana. An attacker can convince a server admin to download and successfully run a malicious plugin even though unsigned plugins <https://go.grafana.com/MzU2LVlGRy0zODkAAAGHKffeRdXtITNJ57jRLGNoDYneVd-OEEcBdv-IjxVZkAZ_sJruum93h2vIohJ4utenGSY7smU=> are not allowed.

Affected versions: Grafana <= 9.1.x
Comment 4 Marian Rehak 2022-10-14 05:41:31 UTC 
Created grafana tracking bugs for this issue:

Affects: fedora-all [bug 2134708]
Comment 15 errata-xmlrpc 2023-06-15 16:01:06 UTC 
This issue has been addressed in the following products:

  Red Hat Ceph Storage 6.1

Via RHSA-2023:3642 https://access.redhat.com/errata/RHSA-2023:3642
Comment 17 errata-xmlrpc 2023-11-07 08:16:17 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6420 https://access.redhat.com/errata/RHSA-2023:6420
Note You need to log in before you can comment on or make changes to this bug.