Grafana v9.0.3, v8.5.9, v8.4.10, and v8.3.10 released with high severity security fix

Grafana has released versions 9.0.3, 8.5.9, 8.4.10, and 8.3.10 to address two high severity security vulnerabilities, CVE-2022-31097 and CVE-2022-31107, affecting versions from 5.3 to 9.0.1. The first vulnerability, disclosed by Maxim Misharin, is a stored XSS issue in Grafana Alerting, rated with a CVSS score of 7.3, for which upgrading or disabling Grafana Alerting is advised. The second, reported by the HTTPVoid team, is an OAuth account takeover vulnerability, rated at CVSS 7.1, mitigatable by disabling OAuth login. Grafana Labs has coordinated with cloud providers like Amazon Managed Grafana to ensure security patches are applied, and they encourage the responsible disclosure of vulnerabilities through their security contact. Security announcements and details on remediation are regularly posted on their blog.