CVE-2022-31130

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2022-31130
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-31130.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-31130
Aliases
Downstream
Related
Published
2022-10-13T00:00:00Z
Modified
2026-04-02T08:03:08.253330Z
Severity
  • 4.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Grafana data source and plugin proxy endpoints leaking authentication tokens to some destination plugins
Details

Grafana is an open source observability and data visualization platform. Versions of Grafana for endpoints prior to 9.1.8 and 8.5.14 could leak authentication tokens to some destination plugins under some conditions. The vulnerability impacts data source and plugin proxy endpoints with authentication tokens. The destination plugin could receive a user's Grafana authentication token. Versions 9.1.8 and 8.5.14 contain a patch for this issue. As a workaround, do not use API keys, JWT authentication, or any HTTP Header based authentication.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/31xxx/CVE-2022-31130.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-200"
    ]
}
References

Affected packages

Git / github.com/grafana/grafana

Affected ranges

Type
GIT
Repo
https://github.com/grafana/grafana
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
5bc88988a5a25c23452249315e8789ef059a2a3d
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "8.5.14"
        }
    ]
}
Type
GIT
Repo
https://github.com/grafana/grafana
Events
Introduced
b5c56f63710e09f37b8557ddd8b99ae3fc583169
Fixed
3c0c14de5d73bed5cc429d2beeabd0217c6bf221
Database specific 
{
    "versions": [
        {
            "introduced": "9.0.0"
        },
        {
            "fixed": "9.1.8"
        }
    ]
}

Affected versions

1.*
1.0.0
6.*
6.1.6
7.*
7.0.0
7.2.1
Other
dupa
list
omgtest
pull
test
vtest-new-release-pipeline
packages@6.*
packages@6.3.0-alpha.33
packages@6.3.0-alpha.36
packages@6.3.0-beta.1
pkg/promlib/v0.*
pkg/promlib/v0.0.1
pkg/promlib/v0.0.10
pkg/promlib/v0.0.2
pkg/promlib/v0.0.3
pkg/promlib/v0.0.4
pkg/promlib/v0.0.5
pkg/promlib/v0.0.6
pkg/promlib/v0.0.7
pkg/promlib/v0.0.8
pkg/promlib/v0.0.9
pkg/util/xorm/v0.*
pkg/util/xorm/v0.0.1
rrc_fast_12.*
rrc_fast_12.2.0-17261372546.patch1
rrc_steady_12.*
rrc_steady_12.2.0-17245430286.patch1
rrc_steady_12.4.0-19174562009.patch4
rrc_steady_13.*
rrc_steady_13.0.0-22843068776.patch2
v0.*
v0.0.0-cloud
v0.0.0-kmdagger1
v0.0.0-kmdagger2
v0.0.0-kmdagger3
v0.0.0-test
v0.0.0-test.2
v0.0.0-testrgm3
v0.0.0-testrgm4
v0.0.0-testrgm6
v0.0.1-test
v0.0.85-test
v1.*
v1.0
v1.0.1
v1.0.2
v1.0.3
v1.0.4
v1.1.0
v1.2.0
v1.3.0
v1.4.0
v1.5.0
v1.5.1
v1.5.2
v1.5.3
v1.5.4
v1.6.0
v1.6.1
v1.7.0
v1.7.0-rc1
v1.8.0
v1.8.0-rc1
v1.8.1
v1.9.0
v1.9.0-rc1
v1.9.1
v10.*
v10.0.0
v10.0.0-preview
v10.0.1
v10.0.10
v10.0.11
v10.0.12
v10.0.13
v10.0.2
v10.0.3
v10.0.4
v10.0.5
v10.0.6
v10.0.8
v10.0.9
v10.1.0
v10.1.1
v10.1.10
v10.1.2
v10.1.4
v10.1.5
v10.1.6
v10.1.7
v10.1.8
v10.1.9
v10.2.0
v10.2.1
v10.2.2
v10.2.3
v10.2.4
v10.2.5
v10.2.6
v10.2.7
v10.2.8
v10.2.9
v10.3.0
v10.3.1
v10.3.10
v10.3.11
v10.3.12
v10.3.3
v10.3.4
v10.3.5
v10.3.6
v10.3.7
v10.3.8
v10.3.9
v10.4.0
v10.4.1
v10.4.10
v10.4.11
v10.4.12
v10.4.13
v10.4.14
v10.4.15
v10.4.16
v10.4.17
v10.4.17+security-01
v10.4.18
v10.4.18+security-01
v10.4.19
v10.4.19+security-01
v10.4.2
v10.4.3
v10.4.4
v10.4.5
v10.4.6
v10.4.7
v10.4.8
v10.4.9
v11.*
v11.0.0
v11.0.0-preview
v11.0.1
v11.0.10
v11.0.11
v11.0.2
v11.0.3
v11.0.4
v11.0.5
v11.0.5+security-01
v11.0.6
v11.0.6+security-01
v11.0.7
v11.0.8
v11.0.9
v11.1.0
v11.1.1
v11.1.10
v11.1.11
v11.1.12
v11.1.13
v11.1.2
v11.1.3
v11.1.4
v11.1.5
v11.1.6
v11.1.6+security-01
v11.1.7
v11.1.7+security-01
v11.1.8
v11.1.9
v11.1.999-zserge-test
v11.2.0
v11.2.1
v11.2.1+security-01
v11.2.10
v11.2.10+security-01
v11.2.2
v11.2.2+security-01
v11.2.3
v11.2.3+security-01
v11.2.4
v11.2.5
v11.2.6
v11.2.7
v11.2.8
v11.2.8+security-01
v11.2.9
v11.2.9+security-01
v11.3.0
v11.3.0+security-01
v11.3.1
v11.3.2
v11.3.3
v11.3.4
v11.3.5
v11.3.5+security-01
v11.3.6
v11.3.6+security-01
v11.3.7
v11.3.7+security-01
v11.3.8
v11.3.8+security-01
v11.3.9
v11.4.0
v11.4.1
v11.4.2
v11.4.3
v11.4.3+security-01
v11.4.4
v11.4.4+security-01
v11.4.5
v11.4.5+security-01
v11.4.6
v11.4.6+security-01
v11.4.7
v11.4.8
v11.5.0
v11.5.1
v11.5.10
v11.5.2
v11.5.3
v11.5.3+security-01
v11.5.4
v11.5.4+security-01
v11.5.5
v11.5.5+security-01
v11.5.6
v11.5.6+security-01
v11.5.7
v11.5.8
v11.5.9
v11.6.0
v11.6.0+security-01
v11.6.1
v11.6.1+security-01
v11.6.10
v11.6.10+security-01
v11.6.11
v11.6.12
v11.6.13
v11.6.14
v11.6.14+security-01
v11.6.2
v11.6.2+security-01
v11.6.3
v11.6.3+security-01
v11.6.4
v11.6.5
v11.6.6
v11.6.7
v11.6.8
v11.6.9
v11.6.9+security-01
v12.*
v12.0.0
v12.0.0+security-01
v12.0.1
v12.0.1+security-01
v12.0.10
v12.0.2
v12.0.2+security-01
v12.0.3
v12.0.4
v12.0.5
v12.0.6
v12.0.6+security-01
v12.0.7
v12.0.8
v12.0.8+security-01
v12.0.9
v12.1.0
v12.1.1
v12.1.10
v12.1.10+security-01
v12.1.2
v12.1.3
v12.1.3+security-01
v12.1.4
v12.1.5
v12.1.5+security-01
v12.1.6
v12.1.6+security-01
v12.1.7
v12.1.8
v12.1.9
v12.2.0
v12.2.1
v12.2.1+security-01
v12.2.2
v12.2.3
v12.2.3+security-01
v12.2.4
v12.2.4+security-01
v12.2.5
v12.2.6
v12.2.7
v12.2.8
v12.2.8+security-01
v12.3.0
v12.3.1
v12.3.1+security-01
v12.3.2
v12.3.2+security-01
v12.3.3
v12.3.4
v12.3.5
v12.3.6
v12.3.6+security-01
v12.4.0
v12.4.1
v12.4.2
v2.*
v2.0.0-beta1
v2.0.0-beta3
v2.0.1
v2.0.2
v2.1.0
v2.1.1
v2.1.2
v2.1.3
v2.5.0
v2.6.0
v2.6.0-beta1
v3.*
v3.0-beta1
v3.0-beta2
v3.0-beta3
v3.0-beta4
v3.0-beta5
v3.0.0-beta6
v3.0.0-beta7
v3.0.1
v3.0.2
v3.0.3
v3.0.4
v3.1.0
v3.1.0-beta1
v3.1.1
v3.2.1-test
v4.*
v4.0.0
v4.0.0-beta1
v4.0.0-beta2
v4.0.1
v4.0.2
v4.1.0
v4.1.0-beta1
v4.1.1
v4.1.2
v4.2.0
v4.2.0-beta1
v4.3.0
v4.3.0-beta1
v4.3.1
v4.3.2
v4.4.0
v4.4.1
v4.4.2
v4.4.3
v4.5.0
v4.5.0-beta1
v4.5.1
v4.5.2
v4.6.0
v4.6.0-beta1
v4.6.0-beta2
v4.6.0-beta3
v4.6.1
v4.6.2
v4.6.3
v4.6.4
v4.6.5
v5.*
v5.,2.4
v5.0.0
v5.0.0-beta1
v5.0.0-beta2
v5.0.0-beta3
v5.0.0-beta4
v5.0.0-beta5
v5.0.1
v5.0.2
v5.0.3
v5.0.4
v5.1.0
v5.1.0-beta1
v5.1.1
v5.1.2
v5.1.3
v5.1.4
v5.1.5
v5.2.0
v5.2.0-beta1
v5.2.0-beta2
v5.2.0-beta3
v5.2.1
v5.2.2
v5.2.3
v5.2.4
v5.2.5
v5.3.0
v5.3.0-beta1
v5.3.0-beta2
v5.3.0-beta3
v5.3.1
v5.3.2
v5.3.3
v5.3.4
v5.4.0
v5.4.0-beta1
v5.4.1
v5.4.2
v5.4.3
v5.4.4
v5.4.4_private
v5.4.5
v6.*
v6.0.0
v6.0.0-beta1
v6.0.0-beta2
v6.0.0-beta3
v6.0.1
v6.0.2
v6.1.0
v6.1.0-beta1
v6.1.1
v6.1.2
v6.1.3
v6.1.4
v6.1.6
v6.2.0
v6.2.0-beta1
v6.2.0-beta2
v6.2.1
v6.2.2
v6.2.3
v6.2.4
v6.2.5
v6.3.0
v6.3.0-alpha.30
v6.3.0-beta.0
v6.3.0-beta1
v6.3.0-beta2
v6.3.0-beta3
v6.3.0-beta4
v6.3.1
v6.3.2
v6.3.3
v6.3.4
v6.3.5
v6.3.6
v6.3.7
v6.4.0
v6.4.0-beta1
v6.4.0-beta2
v6.4.1
v6.4.2
v6.4.3
v6.4.4
v6.4.5
v6.5
v6.5.0
v6.5.0-beta1
v6.5.1
v6.5.2
v6.5.3
v6.6.0
v6.6.0-beta1
v6.6.1
v6.6.2
v6.7.0
v6.7.0-beta1
v6.7.1
v6.7.2
v6.7.3
v6.7.4
v6.7.5
v6.7.6
v7.*
v7.0.0
v7.0.0-beta1
v7.0.0-beta2
v7.0.0-beta3
v7.0.1
v7.0.2
v7.0.3
v7.0.4
v7.0.5
v7.0.6
v7.1.0
v7.1.0-beta1
v7.1.0-beta2
v7.1.0-beta3
v7.1.1
v7.1.2
v7.1.3
v7.1.4
v7.1.5
v7.2.0
v7.2.0-beta1
v7.2.0-beta2
v7.2.1
v7.2.2
v7.2.3
v7.3.0
v7.3.0-beta1
v7.3.0-beta2
v7.3.1
v7.3.10
v7.3.2
v7.3.3
v7.3.4
v7.3.5
v7.3.6
v7.3.7
v7.3.8
v7.4.0
v7.4.0-beta1
v7.4.1
v7.4.2
v7.4.3
v7.4.4
v7.4.5
v7.5.0
v7.5.0-beta1
v7.5.0-beta2
v7.5.1
v7.5.10
v7.5.11
v7.5.12
v7.5.13
v7.5.15
v7.5.16
v7.5.17
v7.5.2
v7.5.3
v7.5.4
v7.5.5
v7.5.6
v7.5.7
v7.5.8
v7.5.9
v8.*
v8.0.0
v8.0.0-beta1
v8.0.0-beta2
v8.0.0-beta3
v8.0.1
v8.0.2
v8.0.3
v8.0.4
v8.0.5
v8.0.6
v8.0.7
v8.1.0
v8.1.0-beta1
v8.1.0-beta2
v8.1.0-beta3
v8.1.1
v8.1.2
v8.1.3
v8.1.4
v8.1.5
v8.1.6
v8.1.7
v8.1.8
v8.2.0
v8.2.0-beta1
v8.2.0-beta2
v8.2.1
v8.2.2
v8.2.3
v8.2.4
v8.2.5
v8.2.6
v8.2.7
v8.3.0
v8.3.0-beta1
v8.3.0-beta2
v8.3.1
v8.3.10
v8.3.11
v8.3.2
v8.3.3
v8.3.4
v8.3.5
v8.3.6
v8.3.7
v8.4.0
v8.4.0-beta1
v8.4.1
v8.4.10
v8.4.11
v8.4.2
v8.4.3
v8.4.4
v8.4.5
v8.4.6
v8.4.7
v8.5.0
v8.5.0-beta1
v8.5.1
v8.5.10
v8.5.11
v8.5.13
v8.5.15
v8.5.16
v8.5.2
v8.5.20
v8.5.21
v8.5.22
v8.5.24
v8.5.26
v8.5.27
v8.5.3
v8.5.4
v8.5.5
v8.5.6
v8.5.9
v9.*
v9.0.0
v9.0.0-beta1
v9.0.0-beta2
v9.0.0-beta3
v9.0.1
v9.0.2
v9.0.3
v9.0.4
v9.0.5
v9.0.6
v9.0.7
v9.0.8
v9.0.9
v9.1.0
v9.1.0-beta1
v9.1.1
v9.1.2
v9.1.3
v9.1.4
v9.1.5
v9.1.6
v9.1.7
v9.1.8
v9.2.0
v9.2.0-279c6c6c7d
v9.2.0-beta1
v9.2.1
v9.2.10
v9.2.13
v9.2.15
v9.2.17
v9.2.18
v9.2.19
v9.2.2
v9.2.20
v9.2.3
v9.2.4
v9.2.5
v9.2.6
v9.2.7
v9.2.8
v9.3.0
v9.3.0-beta1
v9.3.1
v9.3.11
v9.3.13
v9.3.14
v9.3.15
v9.3.16
v9.3.2
v9.3.4
v9.3.6
v9.3.8
v9.4.0
v9.4.0-beta1
v9.4.1
v9.4.10
v9.4.12
v9.4.13
v9.4.14
v9.4.15
v9.4.17
v9.4.2
v9.4.3
v9.4.7
v9.4.9
v9.5.0
v9.5.1
v9.5.10
v9.5.12
v9.5.13
v9.5.14
v9.5.15
v9.5.16
v9.5.17
v9.5.18
v9.5.19
v9.5.2
v9.5.20
v9.5.21
v9.5.3
v9.5.5
v9.5.6
v9.5.7
v9.5.8
v9.5.9

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-31130.json"