Grafana ImgRender <3.6.1 - Unauthorized File Disclosure (plugin)
CVE-2022-31176 Published on September 2, 2022
Grafana Image Renderer leaking files
Grafana Image Renderer is a Grafana backend plugin that handles rendering of panels & dashboards to PNGs using a headless browser (Chromium/Chrome). An internal security review identified an unauthorized file disclosure vulnerability. It is possible for a malicious user to retrieve unauthorized files under some network conditions or via a fake datasource (if user has admin permissions in Grafana). All Grafana installations should be upgraded to version 3.6.1 as soon as possible. As a workaround it is possible to [disable HTTP remote rendering](https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#plugingrafana-image-renderer).
Vulnerability Analysis
CVE-2022-31176 is exploitable with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity, and a high impact on availability.
Weakness Type
What is an Information Disclosure Vulnerability?
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CVE-2022-31176 has been classified to as an Information Disclosure vulnerability or weakness.
Products Associated with CVE-2022-31176
Want to know whenever a new CVE is published for Grafana Labs Grafana Image Renderer? stack.watch will email you.
Affected Versions
grafana-image-renderer Version < 3.6.0 is affected by CVE-2022-31176Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.