apk package
chainguard/grafana-fips-12.1
pkg:apk/chainguard/grafana-fips-12.1
Vulnerabilities (50)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-32283 | Hig | 7.5 | < 12.1.9-r5 | 12.1.9-r5 | Apr 8, 2026 | If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service. This only affects TLS 1.3. | |
| CVE-2026-32282 | Med | 6.4 | < 0 | 0 | Apr 8, 2026 | On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root. The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which R | |
| CVE-2026-32281 | Hig | 7.5 | < 12.1.9-r5 | 12.1.9-r5 | Apr 8, 2026 | Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service. This only affects validation of otherwise trusted certificate chains, issued by a root C | |
| CVE-2026-32280 | Hig | 7.5 | < 12.1.9-r5 | 12.1.9-r5 | Apr 8, 2026 | During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls | |
| CVE-2026-27140 | Hig | 8.8 | < 12.1.9-r5 | 12.1.9-r5 | Apr 8, 2026 | SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass. | |
| CVE-2026-33816 | Cri | 9.8 | < 0 | 0 | Apr 7, 2026 | Memory-safety vulnerability in github.com/jackc/pgx/v5. | |
| CVE-2026-33817 | — | < 0 | 0 | Apr 6, 2026 | Rejected reason: CVE confirmed to be a false positive | ||
| CVE-2026-34986 | Hig | 7.5 | < 12.1.9-r7 | 12.1.9-r7 | Apr 6, 2026 | Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JW | |
| CVE-2026-34165 | Med | 5.0 | < 12.1.9-r5 | 12.1.9-r5 | Mar 31, 2026 | go-git is an extensible git implementation library written in pure Go. From version 5.0.0 to before version 5.17.1, a vulnerability has been identified in which a maliciously crafted .idx file can cause asymmetric memory consumption, potentially exhausting available memory and re | |
| CVE-2026-33762 | Low | 2.8 | < 12.1.9-r5 | 12.1.9-r5 | Mar 31, 2026 | go-git is an extensible git implementation library written in pure Go. Prior to version 5.17.1, go-git’s index decoder for format version 4 fails to validate the path name prefix length before applying it to the previously decoded path name. A maliciously crafted index file can t | |
| CVE-2026-28375 | Med | 6.5 | < 12.1.10.01-r0 | 12.1.10.01-r0 | Mar 27, 2026 | A testdata data-source can be used to trigger out-of-memory crashes in Grafana. | |
| CVE-2026-27880 | Hig | 7.5 | < 12.1.10.01-r0 | 12.1.10.01-r0 | Mar 27, 2026 | The OpenFeature feature toggle evaluation endpoint reads unbounded values into memory, which can cause out-of-memory crashes. | |
| CVE-2026-27879 | Med | 6.5 | < 12.1.10.01-r0 | 12.1.10.01-r0 | Mar 27, 2026 | A resample query can be used to trigger out-of-memory crashes in Grafana. | |
| CVE-2026-27877 | Med | 6.5 | < 12.1.10.01-r0 | 12.1.10.01-r0 | Mar 27, 2026 | When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards. No passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as pos | |
| CVE-2026-27876 | Cri | 9.1 | < 12.1.10.01-r0 | 12.1.10.01-r0 | Mar 27, 2026 | A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impact (RCE). This is enabled by a feature in Grafana (OSS), so all users are always recommended to update to avoid future attack vectors going this path. Only inst | |
| CVE-2026-33375 | Med | 6.5 | < 12.1.10.01-r0 | 12.1.10.01-r0 | Mar 26, 2026 | The Grafana MSSQL data source plugin contains a logic flaw that allows a low-privileged user (Viewer) to bypass API restrictions and trigger a catastrophic Out-Of-Memory (OOM) memory exhaustion, crashing the host container. | |
| CVE-2026-21724 | Med | 5.4 | < 12.1.10.01-r0 | 12.1.10.01-r0 | Mar 26, 2026 | A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role to modify protected webhook URLs without the required alert.notifications.receivers.protected:write permission. | |
| CVE-2026-32285 | Hig | 7.5 | < 12.1.9-r4 | 12.1.9-r4 | Mar 26, 2026 | The Delete function fails to properly validate offsets when processing malformed JSON input. This can lead to a negative slice index and a runtime panic, allowing a denial of service attack. | |
| CVE-2026-33186 | Cri | 9.1 | < 12.1.9-r4 | 12.1.9-r4 | Mar 20, 2026 | gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omi | |
| CVE-2026-1229 | — | < 12.1.8-r2 | 12.1.8-r2 | Feb 24, 2026 | The CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect value for specific inputs. The issue is fixed by using complete addition formulas. ECDH and ECDSA signing relying on this curve are not affected. The bug was fixed in v1.6.3 https:// |
- affected < 12.1.9-r5fixed 12.1.9-r5
If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service. This only affects TLS 1.3.
- affected < 0fixed 0
On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root. The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which R
- affected < 12.1.9-r5fixed 12.1.9-r5
Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service. This only affects validation of otherwise trusted certificate chains, issued by a root C
- affected < 12.1.9-r5fixed 12.1.9-r5
During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls
- affected < 12.1.9-r5fixed 12.1.9-r5
SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass.
- affected < 0fixed 0
Memory-safety vulnerability in github.com/jackc/pgx/v5.
- CVE-2026-33817Apr 6, 2026affected < 0fixed 0
Rejected reason: CVE confirmed to be a false positive
- affected < 12.1.9-r7fixed 12.1.9-r7
Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JW
- affected < 12.1.9-r5fixed 12.1.9-r5
go-git is an extensible git implementation library written in pure Go. From version 5.0.0 to before version 5.17.1, a vulnerability has been identified in which a maliciously crafted .idx file can cause asymmetric memory consumption, potentially exhausting available memory and re
- affected < 12.1.9-r5fixed 12.1.9-r5
go-git is an extensible git implementation library written in pure Go. Prior to version 5.17.1, go-git’s index decoder for format version 4 fails to validate the path name prefix length before applying it to the previously decoded path name. A maliciously crafted index file can t
- affected < 12.1.10.01-r0fixed 12.1.10.01-r0
A testdata data-source can be used to trigger out-of-memory crashes in Grafana.
- affected < 12.1.10.01-r0fixed 12.1.10.01-r0
The OpenFeature feature toggle evaluation endpoint reads unbounded values into memory, which can cause out-of-memory crashes.
- affected < 12.1.10.01-r0fixed 12.1.10.01-r0
A resample query can be used to trigger out-of-memory crashes in Grafana.
- affected < 12.1.10.01-r0fixed 12.1.10.01-r0
When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards. No passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as pos
- affected < 12.1.10.01-r0fixed 12.1.10.01-r0
A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impact (RCE). This is enabled by a feature in Grafana (OSS), so all users are always recommended to update to avoid future attack vectors going this path. Only inst
- affected < 12.1.10.01-r0fixed 12.1.10.01-r0
The Grafana MSSQL data source plugin contains a logic flaw that allows a low-privileged user (Viewer) to bypass API restrictions and trigger a catastrophic Out-Of-Memory (OOM) memory exhaustion, crashing the host container.
- affected < 12.1.10.01-r0fixed 12.1.10.01-r0
A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role to modify protected webhook URLs without the required alert.notifications.receivers.protected:write permission.
- affected < 12.1.9-r4fixed 12.1.9-r4
The Delete function fails to properly validate offsets when processing malformed JSON input. This can lead to a negative slice index and a runtime panic, allowing a denial of service attack.
- affected < 12.1.9-r4fixed 12.1.9-r4
gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omi
- CVE-2026-1229Feb 24, 2026affected < 12.1.8-r2fixed 12.1.8-r2
The CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect value for specific inputs. The issue is fixed by using complete addition formulas. ECDH and ECDSA signing relying on this curve are not affected. The bug was fixed in v1.6.3 https://
Page 2 of 3