What is CVE-2022-31097?

CVE-2022-31097 is a high-severity vulnerability in Grafana, classified under Cross-site Scripting. CVSS score: 7.3/10. Published 2022-07-15.

How severe is CVE-2022-31097?

High severity. CVSS v3 base score is 7.3 out of 10.

Is CVE-2022-31097 known to be exploited?

3 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

XSS in Grafana

CVE-2022-31097

Grafana is an open-source platform for monitoring and observability. Versions on the 8.x and 9.x branch prior to 9.0.3, 8.5.9, 8.4.10, and 8.3.10 are vulnerable to stored cross-site scripting via the Unified Alerting feature of Grafana. An…

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.681 (99.2th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.3 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N.

Affected products

Grafana — versions >= 9.0.0, < 9.0.3, >= 8.5.0, < 8.5.9, >= 8.4.0, < 8.4.10

Weakness classification (CWE)

CWE-79 — Cross-site Scripting

Public proof-of-concept exploits

References

github.com/grafana/grafana/security/advisories/GHSA-vw7q-p2qg-4m5f (x_refsource_CONFIRM)
grafana.com/docs/grafana/latest/release-notes/release-notes-9-0-3/ (x_refsource_MISC)
grafana.com/docs/grafana/next/release-notes/release-notes-8-4-10/ (x_refsource_MISC)
grafana.com/docs/grafana/latest/release-notes/release-notes-8-5-9/ (x_refsource_MISC)
security.netapp.com/advisory/ntap-20220901-0010/ (x_refsource_CONFIRM)

Frequently asked questions

What is CVE-2022-31097?: CVE-2022-31097 is a high-severity vulnerability in Grafana, classified under Cross-site Scripting. CVSS score: 7.3/10. Published 2022-07-15.
How severe is CVE-2022-31097?: High severity. CVSS v3 base score is 7.3 out of 10.
Is CVE-2022-31097 known to be exploited?: 3 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.