apk package
chainguard/grafana-12.4
pkg:apk/chainguard/grafana-12.4
Vulnerabilities (74)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-39832 | Cri | 9.1 | < 0 | 0 | May 22, 2026 | When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now | |
| CVE-2026-39831 | Cri | 9.1 | < 0 | 0 | May 22, 2026 | The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com) did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key. To restore the | |
| CVE-2026-39830 | Cri | 9.1 | < 0 | 0 | May 22, 2026 | A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now | |
| CVE-2026-39829 | Hig | 7.5 | < 0 | 0 | May 22, 2026 | The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clien | |
| CVE-2026-39828 | Med | 6.3 | < 0 | 0 | May 22, 2026 | When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded. Returning non-nil Permissions with Par | |
| CVE-2026-39827 | Med | 6.5 | < 0 | 0 | May 22, 2026 | An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually crashing the server process and affecting all connected users. Rejected channels are now properly removed from the connection's internal state | |
| CVE-2026-33381 | Med | 5.9 | < 12.4.3.02-r0 | 12.4.3.02-r0 | May 13, 2026 | When a user's access to mint tokens for a service account is revoked, it is sometimes still possible to do so for a few seconds after the event. The user will eventually lose access to do this. | |
| CVE-2026-33380 | Med | 6.3 | < 12.4.3.02-r0 | 12.4.3.02-r0 | May 13, 2026 | A vulnerability in SQL Expressions allows an authenticated attacker to read arbitrary files from the Grafana server's filesystem. Only instances with the sqlExpressions feature toggle enabled are vulnerable. | |
| CVE-2026-33378 | Med | 6.5 | < 12.4.3.02-r0 | 12.4.3.02-r0 | May 13, 2026 | Using the $__timeGroup macro, one can achieve an OOM by overloading the server. This requires a SQL datasource. If the server is set up to auto-restart, the impact is minimal or non-existent, as the attack can take upwards of half an hour to crash the server. | |
| CVE-2026-33377 | Hig | 7.1 | < 12.4.3.02-r0 | 12.4.3.02-r0 | May 13, 2026 | An Editor can overwrite a dashboard not owned by them to acquire admin on that specific dashboard. The user must have write access to the dashboard to escalate privilege. | |
| CVE-2026-33376 | Hig | 7.4 | < 12.4.3.02-r0 | 12.4.3.02-r0 | May 13, 2026 | When using an IPv6 allow-list for the Auth Proxy feature, it defaults to /32 addresses. Addresses specifying a mask explicitly are not affected; to mitigate easily, add the desired mask (usually /128) to the addresses. Only auth proxy is affected; Okta, SAML, LDAP, etc are unaffe | |
| CVE-2026-28383 | Med | 6.5 | < 12.4.3.02-r0 | 12.4.3.02-r0 | May 13, 2026 | A request to the Grafana plugin resources endpoint can cause unbounded memory allocation by reading the entire request body into memory. An authenticated user can exploit this to trigger an out-of-memory condition, potentially causing a denial of service. | |
| CVE-2026-28380 | Med | 6.5 | < 12.4.3.02-r0 | 12.4.3.02-r0 | May 13, 2026 | Any Editor could delete any snapshot, even if they have no access to read or write them. | |
| CVE-2026-28379 | Med | 6.5 | < 12.4.3.02-r0 | 12.4.3.02-r0 | May 13, 2026 | A race condition in Grafana Live allows authenticated users with Viewer role to trigger a server crash by sending concurrent requests that cause a fatal map access error. This results in complete service unavailability requiring restart of the Grafana server. | |
| CVE-2026-28376 | Med | 6.5 | < 12.4.3.02-r0 | 12.4.3.02-r0 | May 13, 2026 | The Grafana Live push endpoint can be exploited to cause unbounded memory allocation by sending a large or streaming request body, potentially leading to out-of-memory conditions. An authenticated user with access to the Grafana Live API can trigger this issue. | |
| CVE-2026-28374 | Med | 4.3 | < 12.4.3.02-r0 | 12.4.3.02-r0 | May 13, 2026 | Editors could delete any annotation, even those they do not have read access to. The editor user cannot create or read the annotations. | |
| CVE-2026-41889 | Cri | 9.8 | < 12.4.2-r10 | 12.4.2-r10 | May 8, 2026 | pgx is a PostgreSQL driver and toolkit for Go. Prior to version 5.9.2, SQL injection can occur when the non-default simple protocol is used, a dollar quoted string literal is used in the SQL query, that string literal contains text that would be would be interpreted as a placehol | |
| CVE-2026-42501 | Hig | 7.5 | < 12.4.2-r11 | 12.4.2-r11 | May 7, 2026 | A malicious module proxy can exploit a flaw in the go command's validation of module checksums to bypass checksum database validation. This vulnerability affects any user using an untrusted module proxy (GOMODPROXY) or checksum database (GOSUMDB). A malicious module proxy can ser | |
| CVE-2026-42499 | Hig | 7.5 | < 12.4.2-r11 | 12.4.2-r11 | May 7, 2026 | Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322. | |
| CVE-2026-39836 | Hig | 7.5 | < 12.4.2-r11 | 12.4.2-r11 | May 7, 2026 | The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0). |
- affected < 0fixed 0
When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now
- affected < 0fixed 0
The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com) did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key. To restore the
- affected < 0fixed 0
A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now
- affected < 0fixed 0
The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clien
- affected < 0fixed 0
When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded. Returning non-nil Permissions with Par
- affected < 0fixed 0
An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually crashing the server process and affecting all connected users. Rejected channels are now properly removed from the connection's internal state
- affected < 12.4.3.02-r0fixed 12.4.3.02-r0
When a user's access to mint tokens for a service account is revoked, it is sometimes still possible to do so for a few seconds after the event. The user will eventually lose access to do this.
- affected < 12.4.3.02-r0fixed 12.4.3.02-r0
A vulnerability in SQL Expressions allows an authenticated attacker to read arbitrary files from the Grafana server's filesystem. Only instances with the sqlExpressions feature toggle enabled are vulnerable.
- affected < 12.4.3.02-r0fixed 12.4.3.02-r0
Using the $__timeGroup macro, one can achieve an OOM by overloading the server. This requires a SQL datasource. If the server is set up to auto-restart, the impact is minimal or non-existent, as the attack can take upwards of half an hour to crash the server.
- affected < 12.4.3.02-r0fixed 12.4.3.02-r0
An Editor can overwrite a dashboard not owned by them to acquire admin on that specific dashboard. The user must have write access to the dashboard to escalate privilege.
- affected < 12.4.3.02-r0fixed 12.4.3.02-r0
When using an IPv6 allow-list for the Auth Proxy feature, it defaults to /32 addresses. Addresses specifying a mask explicitly are not affected; to mitigate easily, add the desired mask (usually /128) to the addresses. Only auth proxy is affected; Okta, SAML, LDAP, etc are unaffe
- affected < 12.4.3.02-r0fixed 12.4.3.02-r0
A request to the Grafana plugin resources endpoint can cause unbounded memory allocation by reading the entire request body into memory. An authenticated user can exploit this to trigger an out-of-memory condition, potentially causing a denial of service.
- affected < 12.4.3.02-r0fixed 12.4.3.02-r0
Any Editor could delete any snapshot, even if they have no access to read or write them.
- affected < 12.4.3.02-r0fixed 12.4.3.02-r0
A race condition in Grafana Live allows authenticated users with Viewer role to trigger a server crash by sending concurrent requests that cause a fatal map access error. This results in complete service unavailability requiring restart of the Grafana server.
- affected < 12.4.3.02-r0fixed 12.4.3.02-r0
The Grafana Live push endpoint can be exploited to cause unbounded memory allocation by sending a large or streaming request body, potentially leading to out-of-memory conditions. An authenticated user with access to the Grafana Live API can trigger this issue.
- affected < 12.4.3.02-r0fixed 12.4.3.02-r0
Editors could delete any annotation, even those they do not have read access to. The editor user cannot create or read the annotations.
- affected < 12.4.2-r10fixed 12.4.2-r10
pgx is a PostgreSQL driver and toolkit for Go. Prior to version 5.9.2, SQL injection can occur when the non-default simple protocol is used, a dollar quoted string literal is used in the SQL query, that string literal contains text that would be would be interpreted as a placehol
- affected < 12.4.2-r11fixed 12.4.2-r11
A malicious module proxy can exploit a flaw in the go command's validation of module checksums to bypass checksum database validation. This vulnerability affects any user using an untrusted module proxy (GOMODPROXY) or checksum database (GOSUMDB). A malicious module proxy can ser
- affected < 12.4.2-r11fixed 12.4.2-r11
Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322.
- affected < 12.4.2-r11fixed 12.4.2-r11
The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0).
Page 2 of 4