CVE-2022-31123

Grafana is an open source observability and data visualization platform. Versions prior to 9.1.8 and 8.5.14 are vulnerable to a bypass in the plugin signature verification. An attacker can convince a server admin to download and successfully run a malicious plugin even though unsigned plugins are not allowed. Versions 9.1.8 and 8.5.14 contain a patch for this issue. As a workaround, do not install plugins downloaded from untrusted sources.

Published: Oct 14, 2022
Updated: May 4, 2025
CVE: CVE-2022-31123
GHSA: GHSA-rhxj-gh46-jvw8
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.8
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWEs:

CWE-347

Affected Software
References

Software	From	Fixed in
grafana / grafana	9.0.0	9.1.8
grafana / grafana	7.0.0	8.5.14
github.com/grafana/grafana	9.0.0	9.1.8
github.com/grafana/grafana	7.0.0	8.5.14

https://github.com/grafana/grafana/releases/tag/v9.1.8
https://github.com/grafana/grafana/security/advisories/GHSA-rhxj-gh46-jvw8
https://security.netapp.com/advisory/ntap-20221124-0002
https://security.netapp.com/advisory/ntap-20221124-0002/

Vulnerability Database

289,599

CVE-2022-31123