Grafana -- Data source and plugin proxy endpoints leaking authentication tokens to some destination plugins

Affected packages
7.0.0 <= grafana < 8.5.14
9.0.0 <= grafana < 9.1.8
7.0.0 <= grafana7
8.0.0 <= grafana8 < 8.5.14
9.0.0 <= grafana9 < 9.1.8


VuXML ID 6f6c9420-6297-11ed-9ca2-6c3be5272acd
Discovery 2022-06-26
Entry 2022-11-12

Grafana Labs reports:

On June 26 a security researcher contacted Grafana Labs to disclose a vulnerability with the GitLab data source plugin that could leak the API key to GitLab. After further analysis the vulnerability impacts data source and plugin proxy endpoints with authentication tokens but under some conditions.

We believe that this vulnerability is rated at CVSS 4.9 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)


CVE Name CVE-2022-31130