VYPR

apk package

chainguard/grafana-fips-12.2

pkg:apk/chainguard/grafana-fips-12.2

Vulnerabilities (112)

  • CVE-2025-3415MedJul 17, 2025
    affected < 0fixed 0

    Grafana is an open-source platform for monitoring and observability. The Grafana Alerting DingDing integration was not properly protected and could be exposed to users with Viewer permission. Fixed in versions 10.4.19+security-01, 11.2.10+security-01, 11.3.7+security-01, 11.4.5+

  • CVE-2025-1088LowJun 18, 2025
    affected < 0fixed 0

    In Grafana, an excessively long dashboard title or panel name will cause Chromium browsers to become unresponsive due to Improper Input Validation vulnerability in Grafana. This issue affects Grafana: before 11.6.2 and is fixed in 11.6.2 and higher.

  • CVE-2025-3454MedJun 2, 2025
    affected < 0fixed 0

    This vulnerability in Grafana's datasource proxy API allows authorization checks to be bypassed by adding an extra slash character in the URL path. Users with minimal permissions could gain unauthorized read access to GET endpoints in Alertmanager and Prometheus datasources. Th

  • CVE-2025-3260HigJun 2, 2025
    affected < 0fixed 0

    A security vulnerability in the /apis/dashboard.grafana.app/* endpoints allows authenticated users to bypass dashboard and folder permissions. The vulnerability affects all API versions (v0alpha1, v1alpha1, v2alpha1). Impact: - Viewers can view all dashboards/folders regardless

  • CVE-2025-4123HigMay 22, 2025
    affected < 0fixed 0

    A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend plugin that will execute arbitrary JavaScript. This vulnerability does not requir

  • CVE-2024-11741MedJan 31, 2025
    affected < 0fixed 0

    Grafana is an open-source platform for monitoring and observability. The Grafana Alerting VictorOps integration was not properly protected and could be exposed to users with Viewer permission. Fixed in versions 11.5.0, 11.4.1, 11.3.3,  11.2.6, 11.1.11, 11.0.11 and 10.4.15

  • CVE-2024-9264Oct 18, 2024
    affected < 0fixed 0

    The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are insufficiently sanitized before being passed to `duckdb`, leading to a command injection and local file inclusion vulnerability. Any user wit

  • CVE-2024-6322MedAug 20, 2024
    affected < 0fixed 0

    Access control for plugin data sources protected by the ReqActions json field of the plugin.json is bypassed if the user or service account is granted associated access to any other data source, as the ReqActions check was not scoped to each specific datasource. The account must

  • CVE-2024-1313MedMar 26, 2024
    affected < 0fixed 0

    It is possible for a user in a different organization from the owner of a snapshot to bypass authorization and delete a snapshot by issuing a DELETE request to /api/snapshots/ using its view key. This functionality is intended to only be available to individuals with the per

  • CVE-2024-1442Mar 7, 2024
    affected < 0fixed 0

    A user with the permissions to create a data source can use Grafana API to create a data source with UID set to *. Doing this will grant the user access to read, query, edit and delete all data sources within the organization.

  • CVE-2022-39324Jan 27, 2023
    affected < 0fixed 0

    Grafana is an open-source platform for monitoring and observability. Prior to versions 8.5.16 and 9.2.8, malicious user can create a snapshot and arbitrarily choose the `originalUrl` parameter by editing the query, thanks to a web proxy. When another user opens the URL of the sna

  • CVE-2022-39307Nov 9, 2022
    affected < 0fixed 0

    Grafana is an open-source platform for monitoring and observability. When using the forget password on the login page, a POST request is made to the `/api/user/password/sent-reset-email` URL. When the username or email does not exist, a JSON response contains a “user not found” m

  • CVE-2022-39306Nov 9, 2022
    affected < 0fixed 0

    Grafana is an open-source platform for monitoring and observability. Versions prior to 9.2.4, or 8.5.15 on the 8.X branch, are subject to Improper Input Validation. Grafana admins can invite other members to the organization they are an admin for. When admins add members to the o

  • CVE-2022-39328Nov 8, 2022
    affected < 0fixed 0

    Grafana is an open-source platform for monitoring and observability. Versions starting with 9.2.0 and less than 9.2.4 contain a race condition in the authentication middlewares logic which may allow an unauthenticated user to query an administration endpoint under heavy load. Thi

  • CVE-2022-39229Oct 13, 2022
    affected < 0fixed 0

    Grafana is an open source data visualization platform for metrics, logs, and traces. Versions prior to 9.1.8 and 8.5.14 allow one user to block another user's login attempt by registering someone else'e email address as a username. A Grafana user’s username and email address are

  • CVE-2022-39201Oct 13, 2022
    affected < 0fixed 0

    Grafana is an open source observability and data visualization platform. Starting with version 5.0.0-beta1 and prior to versions 8.5.14 and 9.1.8, Grafana could leak the authentication cookie of users to plugins. The vulnerability impacts data source and plugin proxy endpoints un

  • CVE-2022-31130Oct 13, 2022
    affected < 0fixed 0

    Grafana is an open source observability and data visualization platform. Versions of Grafana for endpoints prior to 9.1.8 and 8.5.14 could leak authentication tokens to some destination plugins under some conditions. The vulnerability impacts data source and plugin proxy endpoint

  • CVE-2022-31123Oct 13, 2022
    affected < 0fixed 0

    Grafana is an open source observability and data visualization platform. Versions prior to 9.1.8 and 8.5.14 are vulnerable to a bypass in the plugin signature verification. An attacker can convince a server admin to download and successfully run a malicious plugin even though uns

  • CVE-2022-36062Sep 22, 2022
    affected < 0fixed 0

    Grafana is an open-source platform for monitoring and observability. In versions prior to 8.5.13, 9.0.9, and 9.1.6, Grafana is subject to Improper Preservation of Permissions resulting in privilege escalation on some folders where Admin is the only used permission. The vulnerabil

  • CVE-2022-35957Sep 20, 2022
    affected < 0fixed 0

    Grafana is an open-source platform for monitoring and observability. Versions prior to 9.1.6 and 8.5.13 are vulnerable to an escalation from admin to server admin when auth proxy is used, allowing an admin to take over the server admin account and gain full control of the grafana

Page 5 of 6