Today we are releasing Grafana 9.2. Alongside with new features and other bug fixes, this release includes a Moderate severity security fix for CVE-2022-31130 We are also releasing security patches for Grafana 9.1.8 and Grafana 8.5.14 to fix these issues. Release 9.2, latest release, also containing security fix: Download Grafana 9.2 Release 9.1.8, only containing security fix: Download Grafana 9.1.8 Release 8.5.14, only containing security fix: Download Grafana 8.5.14 Appropriate patches have been applied to Grafana Cloud and as always, we closely coordinated with all cloud providers licensed to offer Grafana Pro. They have received early notification under embargo and confirmed that their offerings are secure at the time of this announcement. This is applicable to Amazon Managed Grafana and Azure's Grafana as a service offering. CVE-2022-31130 Summary On June 26 a security researcher contacted Grafana Labs to disclose a vulnerability with the GitLab data source plugin that could leak the API key to GitLab. After further analysis the vulnerability impacts data source and plugin proxy endpoints with authentication tokens but under some conditions. We believe that this vulnerability is rated at CVSS 4.9 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N) Impact The destination plugin could receive a Grafana authentication token of the user. Impacted versions All installations for Grafana versions <=9.x, <=8.x, <=7.x Solutions and mitigations To fully address CVE-2022-31130…Read More
Grafana Data source and plugin proxy endpoints leaking authentication tokens to some destination plugins
