6.1 MEDIUM
- CVSS version: 3.1
- Attack vector (AV): LOCAL
- Attack complexity (AC): LOW
- Privileges required (PR): HIGH
- User interaction (UI): REQUIRED
- Scope (S): UNCHANGED
- Confidentiality impact (C): HIGH
- Integrity impact (I): HIGH
- Availability impact (A): LOW
Grafana plugin signature bypass vulnerability
Grafana is an open source observability and data visualization platform. Versions prior to 9.1.8 and 8.5.14 are vulnerable to a bypass in the plugin signature verification. An attacker can convince a server admin to download and successfully run a malicious plugin even though unsigned plugins are not allowed. Versions 9.1.8 and 8.5.14 contain a patch for this issue. As a workaround, do not install plugins downloaded from untrusted sources.
References
- https://github.com/grafana/grafana/releases/tag/v9.1.8
- https://security.netapp.com/advisory/ntap-20221124-0002/
- https://github.com/grafana/grafana/security/advisories/GHSA-rhxj-gh46-jvw8
- https://github.com/grafana/grafana/security/advisories/GHSA-rhxj-gh46-jvw8 x_transferred
- https://github.com/grafana/grafana/releases/tag/v9.1.8 x_transferred
- https://security.netapp.com/advisory/ntap-20221124-0002/ x_transferred
- https://github.com/grafana/grafana/security/advisories/GHSA-rhxj-gh46-jvw8
- https://github.com/grafana/grafana/releases/tag/v9.1.8
- https://security.netapp.com/advisory/ntap-20221124-0002/
- https://security.netapp.com/advisory/ntap-20221124-0002/ x_transferred
- https://github.com/grafana/grafana/security/advisories/GHSA-rhxj-gh46-jvw8 x_transferred
- https://github.com/grafana/grafana/releases/tag/v9.1.8 x_transferred
- https://github.com/grafana/grafana/security/advisories/GHSA-rhxj-gh46-jvw8
- https://github.com/grafana/grafana/releases/tag/v9.1.8
- https://security.netapp.com/advisory/ntap-20221124-0002/
- https://github.com/grafana/grafana/releases/tag/v9.1.8 x_transferred
- https://security.netapp.com/advisory/ntap-20221124-0002/ x_transferred
- https://github.com/grafana/grafana/security/advisories/GHSA-rhxj-gh46-jvw8 x_transferred
- https://github.com/grafana/grafana/security/advisories/GHSA-rhxj-gh46-jvw8
- https://github.com/grafana/grafana/releases/tag/v9.1.8
- https://security.netapp.com/advisory/ntap-20221124-0002/
- https://github.com/grafana/grafana/security/advisories/GHSA-rhxj-gh46-jvw8 x_transferred
- https://github.com/grafana/grafana/releases/tag/v9.1.8 x_transferred
- https://security.netapp.com/advisory/ntap-20221124-0002/ x_transferred
Affected products
- ==< 8.5.14
- ==>= 9.0.0, < 9.1.8
Matching in nixpkgs
pkgs.grafana
Gorgeous metric viz, dashboards & editors for Graphite, InfluxDB & OpenTSDB
pkgs.grafanactl
Tool designed to simplify interaction with Grafana instances
pkgs.mcp-grafana
MCP server for Grafana
pkgs.grafana-loki
Like Prometheus, but for logs
pkgs.grafana-alloy
Open source OpenTelemetry Collector distribution with built-in Prometheus pipelines and support for metrics, logs, traces, and profiles
pkgs.grafana-kiosk
Kiosk Utility for Grafana
pkgs.grafana-to-ntfy
Grafana-to-ntfy (ntfy.sh) alerts channel
-
nixos-unstable 0-unstable-2025-01-25
- nixpkgs-unstable 0-unstable-2025-01-25
- nixos-unstable-small 0-unstable-2025-01-25
pkgs.grafana-dash-n-grab
Grafana Dash-n-Grab (gdg) -- backup and restore Grafana dashboards, datasources, and other entities
pkgs.grafana-image-renderer
Grafana backend plugin that handles rendering of panels & dashboards to PNGs using headless browser (Chromium/Chrome)
pkgs.dhallPackages.dhall-grafana
None
-
nixos-unstable 49a3ee4801cf64f479e3f0bad839a5dd8e5b4932
- nixpkgs-unstable 49a3ee4801cf64f479e3f0bad839a5dd8e5b4932
- nixos-unstable-small 49a3ee4801cf64f479e3f0bad839a5dd8e5b4932
pkgs.terraform-providers.grafana
None
pkgs.python312Packages.grafanalib
Library for building Grafana dashboards
pkgs.python313Packages.grafanalib
Library for building Grafana dashboards
pkgs.haskellPackages.amazonka-grafana
Amazon Managed Grafana SDK
-
nixos-unstable 2.0-unstable-2025-04-16
- nixpkgs-unstable 2.0-unstable-2025-04-16
- nixos-unstable-small 2.0-unstable-2025-04-16
pkgs.grafanaPlugins.grafana-oncall-app
Developer-friendly incident response for Grafana
pkgs.grafanaPlugins.grafana-clock-panel
Clock panel for Grafana
pkgs.terraform-providers.grafana_grafana
None
pkgs.grafanaPlugins.grafana-pyroscope-app
Integrate seamlessly with Pyroscope, the open-source continuous profiling platform, providing a smooth, query-less experience for browsing and analyzing profiling data
pkgs.python312Packages.mypy-boto3-grafana
Type annotations for boto3 grafana
-
nixos-unstable boto3-grafana-1.41.0
- nixpkgs-unstable boto3-grafana-1.41.0
- nixos-unstable-small boto3-grafana-1.41.0
pkgs.python313Packages.mypy-boto3-grafana
Type annotations for boto3 grafana
-
nixos-unstable boto3-grafana-1.41.0
- nixpkgs-unstable boto3-grafana-1.41.0
- nixos-unstable-small boto3-grafana-1.41.0
pkgs.grafanaPlugins.grafana-piechart-panel
Pie chart panel for Grafana
pkgs.grafanaPlugins.grafana-polystat-panel
Hexagonal multi-stat panel for Grafana
pkgs.grafanaPlugins.grafana-worldmap-panel
World Map panel for Grafana
pkgs.grafanaPlugins.grafana-lokiexplore-app
Browse Loki logs without the need for writing complex queries
pkgs.grafanaPlugins.grafana-mqtt-datasource
Visualize streaming MQTT data from within Grafana
-
nixos-unstable 1.1.0-beta.3
- nixpkgs-unstable 1.1.0-beta.3
- nixos-unstable-small 1.1.0-beta.3
pkgs.grafanaPlugins.grafana-exploretraces-app
Opinionated traces app
pkgs.grafanaPlugins.grafana-github-datasource
Allows GitHub API data to be visually represented in Grafana dashboards
pkgs.grafanaPlugins.grafana-sentry-datasource
Integrate Sentry data into Grafana
pkgs.grafanaPlugins.grafana-discourse-datasource
Allows users to search and view topics, posts, users, tags, categories, and reports on a given Discourse forum through Grafana
pkgs.grafanaPlugins.grafana-metricsdrilldown-app
Queryless experience for browsing Prometheus-compatible metrics. Quickly find related metrics without writing PromQL queries
pkgs.python312Packages.types-aiobotocore-grafana
Type annotations for aiobotocore grafana
pkgs.python313Packages.types-aiobotocore-grafana
Type annotations for aiobotocore grafana
pkgs.grafanaPlugins.grafana-clickhouse-datasource
Connects Grafana to ClickHouse
pkgs.grafanaPlugins.grafana-opensearch-datasource
Empowers you to seamlessly integrate JSON data into Grafana
pkgs.grafanaPlugins.grafana-googlesheets-datasource
Integrate JSON data into Grafana
Package maintainers
-
@offlinehacker Jaka Hudoklin <jaka@x-truder.net>
-
@WilliButz Willi Butz <willibutz@posteo.de>
-
@Frostman Sergei Lukianov <me@slukjanov.name>
-
@globin Robin Gloster <mail@glob.in>
-
@fpletz Franz Pletz <fpletz@fnordicwalking.de>
-
@Ma27 Maximilian Bosch <maximilian@mbosch.me>
-
@ryan4yin Ryan Yin <xiaoyin_c@qq.com>
-
@azahi Azat Bahawi <azat@bahawi.net>
-
@hbjydev Hayden Young <hayden@kuraudo.io>
-
@flokli Florian Klink <flokli@flokli.de>
-
@cdepillabout Dennis Gosnell <cdep.illabout@gmail.com>
-
@wraithm Matthew Wraith <wraithm@gmail.com>
-
@marcusramberg Marcus Ramberg <marcus@means.no>
-
@emilylange Emily Lange <nix@emilylange.de>
-
@mmahut Marek Mahut <marek.mahut@gmail.com>
-
@Kranzes Ilan Joselevich <personal@ilanjoselevich.com>
-
@michaelgrahamevans Michael Evans <michaelgrahamevans@gmail.com>
-
@mbalatsko Maksym Balatsko <mbalatsko@gmail.com>
-
@fabaff Fabian Affolter <mail@fabian-affolter.ch>
-
@majiru Jacob Moody <moody@posixcafe.org>
-
@lukegb Luke Granger-Brown <nix@lukegb.com>
-
@nagisa Simonas Kazlauskas <nixpkgs@kazlauskas.me>
-
@mockersf François Mockers <francois.mockers@vleue.com>
-
@loispostula Loïs Postula <lois@postu.la>
-
@NthTensor Miles Silberling-Cook <miles.silberlingcook@gmail.com>
-
@MarcelCoding Marcel <me@m4rc3l.de>
-
@arianvp Arian van Putten <arian.vanputten@gmail.com>
-
@wcarlsen Willi Carlsen <carlsenwilli@gmail.com>
-
@pilz0 Pilz <nix@pilz.foo>