{
  "threat_severity" : "Moderate",
  "public_date" : "2022-10-14T00:00:00Z",
  "bugzilla" : {
    "description" : "grafana: plugin signature bypass",
    "id" : "2131147",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2131147"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.1",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L",
    "status" : "verified"
  },
  "details" : [ "Grafana is an open source observability and data visualization platform. Versions prior to 9.1.8 and 8.5.14 are vulnerable to a bypass in the plugin signature verification. An attacker can convince a server admin to download and successfully run a malicious plugin even though unsigned plugins are not allowed. Versions 9.1.8 and 8.5.14 contain a patch for this issue. As a workaround, do not install plugins downloaded from untrusted sources.", "A flaw was found in the Grafana web application, where it is possible to install plugins which are not digitally signed. An admin could install unsigned plugins, which may contain malicious code." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Ceph Storage 6.1",
    "release_date" : "2023-06-15T00:00:00Z",
    "advisory" : "RHSA-2023:3642",
    "cpe" : "cpe:/a:redhat:ceph_storage:6.1::el9",
    "package" : "rhceph/rhceph-6-dashboard-rhel9:6-75"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-11-07T00:00:00Z",
    "advisory" : "RHSA-2023:6420",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "grafana-0:9.2.10-7.el9_3"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2",
    "fix_state" : "Will not fix",
    "package_name" : "rhacm2/acm-grafana-rhel8",
    "cpe" : "cpe:/a:redhat:acm:2"
  }, {
    "product_name" : "Red Hat build of Quarkus",
    "fix_state" : "Not affected",
    "package_name" : "grafana",
    "cpe" : "cpe:/a:redhat:quarkus:2"
  }, {
    "product_name" : "Red Hat Ceph Storage 3",
    "fix_state" : "Will not fix",
    "package_name" : "grafana",
    "cpe" : "cpe:/a:redhat:ceph_storage:3"
  }, {
    "product_name" : "Red Hat Ceph Storage 4",
    "fix_state" : "Affected",
    "package_name" : "rhceph/rhceph-4-dashboard-rhel8",
    "cpe" : "cpe:/a:redhat:ceph_storage:4"
  }, {
    "product_name" : "Red Hat Ceph Storage 5",
    "fix_state" : "Affected",
    "package_name" : "rhceph/rhceph-5-dashboard-rhel8",
    "cpe" : "cpe:/a:redhat:ceph_storage:5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Will not fix",
    "package_name" : "grafana",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 3.11",
    "fix_state" : "Will not fix",
    "package_name" : "openshift3/grafana",
    "cpe" : "cpe:/a:redhat:openshift:3.11"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Will not fix",
    "package_name" : "openshift4/ose-grafana",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat Storage 3",
    "fix_state" : "Out of support scope",
    "package_name" : "grafana",
    "cpe" : "cpe:/a:redhat:storage:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-31123\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-31123\nhttps://github.com/grafana/grafana/security/advisories/GHSA-rhxj-gh46-jvw8" ],
  "name" : "CVE-2022-31123",
  "csaw" : false
}