CVE-2022-31123: 
Grafana vulnerability analysis and mitigation

Grafana, an open source observability and data visualization platform, was found to contain a vulnerability (CVE-2022-31123) in versions prior to 9.1.8 and 8.5.14. The vulnerability was discovered on July 4th, 2022, through an internal security audit and involves a bypass in the plugin signature verification by exploiting a versioning flaw (GitHub Advisory).

The vulnerability has been assigned a CVSS score of 6.1 (CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L), indicating a moderate severity level. The technical assessment shows that the vulnerability requires local access, low attack complexity, high privileges, and user interaction. The vulnerability affects the plugin signature verification system (GitHub Advisory).

When successfully exploited, this vulnerability could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS). The vulnerability allows an attacker to convince a server admin to download and successfully run a malicious plugin even though unsigned plugins are not allowed (NetApp Advisory).

The vulnerability has been patched in Grafana versions 9.1.8 and 8.5.14. Users are strongly advised to upgrade their Grafana instances to these versions or later. As a temporary workaround, administrators are advised not to install plugins downloaded from untrusted sources (GitHub Advisory).