Nixpkgs Security Tracker

Untriaged

Permalink CVE-2022-31097

7.3 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): NONE

created 2 months ago

Stored XSS in Grafana's Unified Alerting

Grafana is an open-source platform for monitoring and observability. Versions on the 8.x and 9.x branch prior to 9.0.3, 8.5.9, 8.4.10, and 8.3.10 are vulnerable to stored cross-site scripting via the Unified Alerting feature of Grafana. An attacker can exploit this vulnerability to escalate privilege from editor to admin by tricking an authenticated admin to click on a link. Versions 9.0.3, 8.5.9, 8.4.10, and 8.3.10 contain a patch. As a workaround, it is possible to disable alerting or use legacy alerting.

References

https://github.com/grafana/grafana/security/advisories/GHSA-vw7q-p2qg-4m5f x_refsource_CONFIRM
https://grafana.com/docs/grafana/latest/release-notes/release-notes-9-0-3/ x_refsource_MISC
https://grafana.com/docs/grafana/next/release-notes/release-notes-8-4-10/ x_refsource_MISC
https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-5-9/ x_refsource_MISC
https://security.netapp.com/advisory/ntap-20220901-0010/ x_refsource_CONFIRM
https://github.com/grafana/grafana/security/advisories/GHSA-vw7q-p2qg-4m5f x_refsource_CONFIRM x_transferred
https://grafana.com/docs/grafana/latest/release-notes/release-notes-9-0-3/ x_refsource_MISC x_transferred
https://grafana.com/docs/grafana/next/release-notes/release-notes-8-4-10/ x_refsource_MISC x_transferred
https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-5-9/ x_refsource_MISC x_transferred
https://security.netapp.com/advisory/ntap-20220901-0010/ x_refsource_CONFIRM x_transferred
https://github.com/grafana/grafana/security/advisories/GHSA-vw7q-p2qg-4m5f x_refsource_CONFIRM
https://grafana.com/docs/grafana/latest/release-notes/release-notes-9-0-3/ x_refsource_MISC
https://grafana.com/docs/grafana/next/release-notes/release-notes-8-4-10/ x_refsource_MISC
https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-5-9/ x_refsource_MISC
https://security.netapp.com/advisory/ntap-20220901-0010/ x_refsource_CONFIRM
https://github.com/grafana/grafana/security/advisories/GHSA-vw7q-p2qg-4m5f x_refsource_CONFIRM x_transferred
https://grafana.com/docs/grafana/latest/release-notes/release-notes-9-0-3/ x_refsource_MISC x_transferred
https://grafana.com/docs/grafana/next/release-notes/release-notes-8-4-10/ x_refsource_MISC x_transferred
https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-5-9/ x_refsource_MISC x_transferred
https://security.netapp.com/advisory/ntap-20220901-0010/ x_refsource_CONFIRM x_transferred
https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-5-9/ x_refsource_MISC
https://security.netapp.com/advisory/ntap-20220901-0010/ x_refsource_CONFIRM
https://github.com/grafana/grafana/security/advisories/GHSA-vw7q-p2qg-4m5f x_refsource_CONFIRM
https://grafana.com/docs/grafana/latest/release-notes/release-notes-9-0-3/ x_refsource_MISC
https://grafana.com/docs/grafana/next/release-notes/release-notes-8-4-10/ x_refsource_MISC
https://github.com/grafana/grafana/security/advisories/GHSA-vw7q-p2qg-4m5f x_refsource_CONFIRM x_transferred
https://grafana.com/docs/grafana/latest/release-notes/release-notes-9-0-3/ x_refsource_MISC x_transferred
https://grafana.com/docs/grafana/next/release-notes/release-notes-8-4-10/ x_refsource_MISC x_transferred
https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-5-9/ x_refsource_MISC x_transferred
https://security.netapp.com/advisory/ntap-20220901-0010/ x_refsource_CONFIRM x_transferred
https://github.com/grafana/grafana/security/advisories/GHSA-vw7q-p2qg-4m5f x_refsource_CONFIRM
https://grafana.com/docs/grafana/latest/release-notes/release-notes-9-0-3/ x_refsource_MISC
https://grafana.com/docs/grafana/next/release-notes/release-notes-8-4-10/ x_refsource_MISC
https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-5-9/ x_refsource_MISC
https://security.netapp.com/advisory/ntap-20220901-0010/ x_refsource_CONFIRM
https://github.com/grafana/grafana/security/advisories/GHSA-vw7q-p2qg-4m5f x_refsource_CONFIRM x_transferred
https://grafana.com/docs/grafana/latest/release-notes/release-notes-9-0-3/ x_refsource_MISC x_transferred
https://grafana.com/docs/grafana/next/release-notes/release-notes-8-4-10/ x_refsource_MISC x_transferred
https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-5-9/ x_refsource_MISC x_transferred
https://security.netapp.com/advisory/ntap-20220901-0010/ x_refsource_CONFIRM x_transferred

Affected products

grafana

==>= 9.0.0, < 9.0.3
==>= 8.5.0, < 8.5.9
==>= 8.0.0, < 8.3.10
==>= 8.4.0, < 8.4.10

Matching in nixpkgs

pkgs.grafana

Gorgeous metric viz, dashboards & editors for Graphite, InfluxDB & OpenTSDB

nixos-unstable 12.3.0
- nixpkgs-unstable 12.3.0
- nixos-unstable-small 12.3.0

pkgs.grafanactl

Tool designed to simplify interaction with Grafana instances

nixos-unstable 0.1.7
- nixpkgs-unstable 0.1.7
- nixos-unstable-small 0.1.7

pkgs.mcp-grafana

MCP server for Grafana

nixos-unstable 0.7.9
- nixpkgs-unstable 0.7.9
- nixos-unstable-small 0.7.9

pkgs.grafana-loki

Like Prometheus, but for logs

nixos-unstable 3.5.8
- nixpkgs-unstable 3.5.8
- nixos-unstable-small 3.5.8

pkgs.grafana-alloy

Open source OpenTelemetry Collector distribution with built-in Prometheus pipelines and support for metrics, logs, traces, and profiles

nixos-unstable 1.11.3
- nixpkgs-unstable 1.11.3
- nixos-unstable-small 1.11.3

pkgs.grafana-kiosk

Kiosk Utility for Grafana

nixos-unstable 1.0.10
- nixpkgs-unstable 1.0.10
- nixos-unstable-small 1.0.10

pkgs.grafana-to-ntfy

Grafana-to-ntfy (ntfy.sh) alerts channel

nixos-unstable 0-unstable-2025-01-25
- nixpkgs-unstable 0-unstable-2025-01-25
- nixos-unstable-small 0-unstable-2025-01-25

pkgs.grafana-dash-n-grab

Grafana Dash-n-Grab (gdg) -- backup and restore Grafana dashboards, datasources, and other entities

nixos-unstable 0.8.1
- nixpkgs-unstable 0.8.1
- nixos-unstable-small 0.8.1

pkgs.grafana-image-renderer

Grafana backend plugin that handles rendering of panels & dashboards to PNGs using headless browser (Chromium/Chrome)

nixos-unstable 5.0.10
- nixpkgs-unstable 5.0.10
- nixos-unstable-small 5.0.10

pkgs.dhallPackages.dhall-grafana

None

nixos-unstable 49a3ee4801cf64f479e3f0bad839a5dd8e5b4932
- nixpkgs-unstable 49a3ee4801cf64f479e3f0bad839a5dd8e5b4932
- nixos-unstable-small 49a3ee4801cf64f479e3f0bad839a5dd8e5b4932

pkgs.terraform-providers.grafana

None

pkgs.python312Packages.grafanalib

Library for building Grafana dashboards

nixos-unstable 0.7.1
- nixpkgs-unstable 0.7.1
- nixos-unstable-small 0.7.1

pkgs.python313Packages.grafanalib

Library for building Grafana dashboards

nixos-unstable 0.7.1
- nixpkgs-unstable 0.7.1
- nixos-unstable-small 0.7.1

pkgs.haskellPackages.amazonka-grafana

Amazon Managed Grafana SDK

nixos-unstable 2.0-unstable-2025-04-16
- nixpkgs-unstable 2.0-unstable-2025-04-16
- nixos-unstable-small 2.0-unstable-2025-04-16

pkgs.grafanaPlugins.grafana-oncall-app

Developer-friendly incident response for Grafana

nixos-unstable 1.16.6
- nixpkgs-unstable 1.16.6
- nixos-unstable-small 1.16.6

pkgs.grafanaPlugins.grafana-clock-panel

Clock panel for Grafana

nixos-unstable 2.1.9
- nixpkgs-unstable 2.1.9
- nixos-unstable-small 2.1.9

pkgs.terraform-providers.grafana_grafana

None

nixos-unstable 4.17.0
- nixpkgs-unstable 4.17.0
- nixos-unstable-small 4.17.0

pkgs.grafanaPlugins.grafana-pyroscope-app

Integrate seamlessly with Pyroscope, the open-source continuous profiling platform, providing a smooth, query-less experience for browsing and analyzing profiling data