CVE-2022-31130: Grafana Data source and plugin proxy endpoints leaking authentication tokens to some destination plugins
On June 26 a security researcher contacted Grafana Labs to disclose a vulnerability with the GitLab data source plugin that could leak the API key to GitLab. After further analysis the vulnerability impacts data source and plugin proxy endpoints with authentication tokens but under some conditions.
We believe that this vulnerability is rated at CVSS 4.9 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)
References
- github.com/advisories/GHSA-jv32-5578-pxjc
- github.com/grafana/grafana
- github.com/grafana/grafana/commit/4dd56e4dabce10007bf4ba1059bf54178c35b177
- github.com/grafana/grafana/commit/9da278c044ba605eb5a1886c48df9a2cb0d3885f
- github.com/grafana/grafana/releases/tag/v9.1.8
- github.com/grafana/grafana/security/advisories/GHSA-jv32-5578-pxjc
- nvd.nist.gov/vuln/detail/CVE-2022-31130
Code Behaviors & Features
Detect and mitigate CVE-2022-31130 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →