CVE-2022-31130 MEDIUM

CVE-2022-31130: Grafana data source and plugin proxy endpoints leaking authentication tokens to some destination plugins

Vendor Grafana

Product grafana

Weakness CWE-200 · Info exposure

Published October 13, 2022

Last update April 23, 2025

View on NVD All CVEs

CVSS base score

4.9/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction None

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

Grafana is an open source observability and data visualization platform. Versions of Grafana for endpoints prior to 9.1.8 and 8.5.14 could leak authentication tokens to some destination plugins under some conditions. The vulnerability impacts data source and plugin proxy endpoints with authentication tokens. The destination plugin could receive a user's Grafana authentication token. Versions 9.1.8 and 8.5.14 contain a patch for this issue. As a workaround, do not use API keys, JWT authentication, or any HTTP Header based authentication.

Key dates

02Disclosure timeline

October 13, 2022 CVE published

April 23, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2022-31130

Related vulnerabilities

Identifiers

CVE CVE-2022-31130

CWE CWE-200

CVSS 4.9 / MEDIUM

Affected versions

Vendor Grafana

Product grafana

Affected < 8.5.14

Vendor Grafana

Product grafana

Affected >= 9.0.0, < 9.1.8

CVE-2022-31130: Grafana data source and plugin proxy endpoints leaking authentication tokens to some destination plugins

01Description

02Disclosure timeline

03References

04Related CVE