FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

Grafana -- Plugin signature bypass

Affected packages
7.0.0 <= grafana < 8.5.14
9.0.0 <= grafana < 9.1.8
7.0.0 <= grafana7
8.0.0 <= grafana8 < 8.5.14
9.0.0 <= grafana9 < 9.1.8

Details

VuXML ID 4e60d660-6298-11ed-9ca2-6c3be5272acd
Discovery 2022-07-04
Entry 2022-11-12

Grafana Labs reports:

On July 4th as a result of an internal security audit we have discovered a bypass in the plugin signature verification by exploiting a versioning flaw.

We believe that this vulnerability is rated at CVSS 6.1 (CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L).

References

CVE Name CVE-2022-31123
URL https://github.com/grafana/grafana/security/advisories/GHSA-rhxj-gh46-jvw8