apk package
chainguard/grafana-fips-12.3
pkg:apk/chainguard/grafana-fips-12.3
Vulnerabilities (99)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-41131 | Med | 5.0 | < 12.3.6.01-r4 | 12.3.6.01-r4 | Apr 22, 2026 | OpenFGA is an authorization/permission engine built for developers. Prior to version 1.14.1, in specific scenarios, models using conditions with caching enabled can result in two different check requests producing the same cache key. This could result in OpenFGA reusing an earlie | |
| CVE-2026-40293 | Med | 6.5 | < 12.3.5-r5 | 12.3.5-r5 | Apr 17, 2026 | OpenFGA is an authorization/permission engine built for developers. In versions 0.1.4 through 1.13.1, when OpenFGA is configured to use preshared-key authentication with the built-in playground enabled, the local server includes the preshared API key in the HTML response of the / | |
| CVE-2026-40179 | Med | 6.1 | < 0 | 0 | Apr 15, 2026 | Prometheus is an open-source monitoring system and time series database. Versions 3.0 through 3.5.1 and 3.6.0 through 3.11.1 have stored cross-site scripting vulnerabilities in multiple components of the Prometheus web UI where metric names and label values are injected into inne | |
| CVE-2026-21726 | Med | 5.3 | < 12.3.7-r0 | 12.3.7-r0 | Apr 15, 2026 | The CVE-2021-36156 fix validates the namespace parameter for path traversal sequences after a single URL decode, by double encoding, an attacker can read files at the Ruler API endpoint /loki/api/v1/rules/{namespace} Thanks to Prasanth Sundararajan for reporting this vulnerabili | |
| CVE-2026-39883 | Hig | 7.0 | < 12.3.5-r6 | 12.3.5-r6 | Apr 8, 2026 | OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.15.0 to 1.42.0, the fix for CVE-2026-24051 changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platf | |
| CVE-2026-34972 | Med | 5.0 | < 12.3.5-r5 | 12.3.5-r5 | Apr 6, 2026 | OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. From 1.8.0 to 1.13.1, under specific conditions, BatchCheck calls with multiple checks sent for the same object, relation, and user combination can res | |
| CVE-2026-33817 | — | < 0 | 0 | Apr 6, 2026 | Rejected reason: CVE confirmed to be a false positive | ||
| CVE-2026-34986 | Hig | 7.5 | < 12.3.5-r4 | 12.3.5-r4 | Apr 6, 2026 | Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JW | |
| CVE-2026-34040 | Hig | 8.8 | < 12.3.7-r0 | 12.3.7-r0 | Mar 31, 2026 | Moby is an open source container framework. Prior to version 29.3.1, a security vulnerability has been detected that allows attackers to bypass authorization plugins (AuthZ). This issue has been patched in version 29.3.1. | |
| CVE-2026-33997 | Med | 6.8 | < 12.3.7-r0 | 12.3.7-r0 | Mar 31, 2026 | Moby is an open source container framework. Prior to version 29.3.1, a security vulnerability has been detected that allows plugins privilege validation to be bypassed during docker plugin install. Due to an error in the daemon's privilege comparison logic, the daemon may incorre | |
| CVE-2026-28375 | Med | 6.5 | < 12.3.6.01-r0 | 12.3.6.01-r0 | Mar 27, 2026 | A testdata data-source can be used to trigger out-of-memory crashes in Grafana. | |
| CVE-2026-27880 | Hig | 7.5 | < 12.3.6.01-r0 | 12.3.6.01-r0 | Mar 27, 2026 | The OpenFeature feature toggle evaluation endpoint reads unbounded values into memory, which can cause out-of-memory crashes. | |
| CVE-2026-27879 | Med | 6.5 | < 12.3.6.01-r0 | 12.3.6.01-r0 | Mar 27, 2026 | A resample query can be used to trigger out-of-memory crashes in Grafana. | |
| CVE-2026-27877 | Med | 6.5 | < 12.3.6.01-r0 | 12.3.6.01-r0 | Mar 27, 2026 | When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards. No passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as pos | |
| CVE-2026-27876 | Cri | 9.1 | < 12.3.6.01-r0 | 12.3.6.01-r0 | Mar 27, 2026 | A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impact (RCE). This is enabled by a feature in Grafana (OSS), so all users are always recommended to update to avoid future attack vectors going this path. Only inst | |
| CVE-2026-33729 | Cri | 9.8 | < 12.3.5-r5 | 12.3.5-r5 | Mar 27, 2026 | OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. In versions prior to 1.13.1, under specific conditions, models using conditions with caching enabled can result in two different check requests produci | |
| CVE-2026-21724 | Med | 5.4 | < 12.3.6.01-r0 | 12.3.6.01-r0 | Mar 26, 2026 | A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role to modify protected webhook URLs without the required alert.notifications.receivers.protected:write permission. | |
| CVE-2026-32285 | Hig | 7.5 | < 12.3.5-r3 | 12.3.5-r3 | Mar 26, 2026 | The Delete function fails to properly validate offsets when processing malformed JSON input. This can lead to a negative slice index and a runtime panic, allowing a denial of service attack. | |
| CVE-2026-33186 | Cri | 9.1 | < 12.3.5-r2 | 12.3.5-r2 | Mar 20, 2026 | gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omi | |
| CVE-2026-1229 | — | < 12.3.4-r2 | 12.3.4-r2 | Feb 24, 2026 | The CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect value for specific inputs. The issue is fixed by using complete addition formulas. ECDH and ECDSA signing relying on this curve are not affected. The bug was fixed in v1.6.3 https:// |
- affected < 12.3.6.01-r4fixed 12.3.6.01-r4
OpenFGA is an authorization/permission engine built for developers. Prior to version 1.14.1, in specific scenarios, models using conditions with caching enabled can result in two different check requests producing the same cache key. This could result in OpenFGA reusing an earlie
- affected < 12.3.5-r5fixed 12.3.5-r5
OpenFGA is an authorization/permission engine built for developers. In versions 0.1.4 through 1.13.1, when OpenFGA is configured to use preshared-key authentication with the built-in playground enabled, the local server includes the preshared API key in the HTML response of the /
- affected < 0fixed 0
Prometheus is an open-source monitoring system and time series database. Versions 3.0 through 3.5.1 and 3.6.0 through 3.11.1 have stored cross-site scripting vulnerabilities in multiple components of the Prometheus web UI where metric names and label values are injected into inne
- affected < 12.3.7-r0fixed 12.3.7-r0
The CVE-2021-36156 fix validates the namespace parameter for path traversal sequences after a single URL decode, by double encoding, an attacker can read files at the Ruler API endpoint /loki/api/v1/rules/{namespace} Thanks to Prasanth Sundararajan for reporting this vulnerabili
- affected < 12.3.5-r6fixed 12.3.5-r6
OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.15.0 to 1.42.0, the fix for CVE-2026-24051 changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platf
- affected < 12.3.5-r5fixed 12.3.5-r5
OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. From 1.8.0 to 1.13.1, under specific conditions, BatchCheck calls with multiple checks sent for the same object, relation, and user combination can res
- CVE-2026-33817Apr 6, 2026affected < 0fixed 0
Rejected reason: CVE confirmed to be a false positive
- affected < 12.3.5-r4fixed 12.3.5-r4
Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JW
- affected < 12.3.7-r0fixed 12.3.7-r0
Moby is an open source container framework. Prior to version 29.3.1, a security vulnerability has been detected that allows attackers to bypass authorization plugins (AuthZ). This issue has been patched in version 29.3.1.
- affected < 12.3.7-r0fixed 12.3.7-r0
Moby is an open source container framework. Prior to version 29.3.1, a security vulnerability has been detected that allows plugins privilege validation to be bypassed during docker plugin install. Due to an error in the daemon's privilege comparison logic, the daemon may incorre
- affected < 12.3.6.01-r0fixed 12.3.6.01-r0
A testdata data-source can be used to trigger out-of-memory crashes in Grafana.
- affected < 12.3.6.01-r0fixed 12.3.6.01-r0
The OpenFeature feature toggle evaluation endpoint reads unbounded values into memory, which can cause out-of-memory crashes.
- affected < 12.3.6.01-r0fixed 12.3.6.01-r0
A resample query can be used to trigger out-of-memory crashes in Grafana.
- affected < 12.3.6.01-r0fixed 12.3.6.01-r0
When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards. No passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as pos
- affected < 12.3.6.01-r0fixed 12.3.6.01-r0
A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impact (RCE). This is enabled by a feature in Grafana (OSS), so all users are always recommended to update to avoid future attack vectors going this path. Only inst
- affected < 12.3.5-r5fixed 12.3.5-r5
OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. In versions prior to 1.13.1, under specific conditions, models using conditions with caching enabled can result in two different check requests produci
- affected < 12.3.6.01-r0fixed 12.3.6.01-r0
A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role to modify protected webhook URLs without the required alert.notifications.receivers.protected:write permission.
- affected < 12.3.5-r3fixed 12.3.5-r3
The Delete function fails to properly validate offsets when processing malformed JSON input. This can lead to a negative slice index and a runtime panic, allowing a denial of service attack.
- affected < 12.3.5-r2fixed 12.3.5-r2
gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omi
- CVE-2026-1229Feb 24, 2026affected < 12.3.4-r2fixed 12.3.4-r2
The CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect value for specific inputs. The issue is fixed by using complete addition formulas. ECDH and ECDSA signing relying on this curve are not affected. The bug was fixed in v1.6.3 https://
Page 3 of 5