Grafana is an open source observability and data visualization platform. Versions prior to 9.1.8 and 8.5.14 are vulnerable to a bypass in the plugin signature verification. An attacker can convince a server admin to download and successfully run a malicious plugin even though unsigned plugins are not allowed. Versions 9.1.8 and 8.5.14 contain a patch for this issue. As a workaround, do not install plugins downloaded from untrusted sources.
Weakness
The product does not verify, or incorrectly verifies, the cryptographic signature for data.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Grafana | Grafana | 7.0.0 (including) | 8.5.14 (excluding) |
| Grafana | Grafana | 9.0.0 (including) | 9.1.8 (excluding) |
| Red Hat Ceph Storage 6.1 | RedHat | rhceph/rhceph-6-dashboard-rhel9:6-75 | * |
| Red Hat Enterprise Linux 9 | RedHat | grafana-0:9.2.10-7.el9_3 | * |
| Grafana | Ubuntu | esm-apps/xenial | * |
| Grafana | Ubuntu | trusty | * |
| Grafana | Ubuntu | xenial | * |
Related Attack Patterns
References
- https://github.com/grafana/grafana/releases/tag/v9.1.8
- https://github.com/grafana/grafana/security/advisories/GHSA-rhxj-gh46-jvw8
- https://security.netapp.com/advisory/ntap-20221124-0002/
- https://github.com/grafana/grafana/releases/tag/v9.1.8
- https://github.com/grafana/grafana/security/advisories/GHSA-rhxj-gh46-jvw8
- https://security.netapp.com/advisory/ntap-20221124-0002/