apk package
wolfi/grafana-12.2
pkg:apk/wolfi/grafana-12.2
Vulnerabilities (43)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-21726 | Med | 5.3 | < 12.2.9-r0 | 12.2.9-r0 | Apr 15, 2026 | The CVE-2021-36156 fix validates the namespace parameter for path traversal sequences after a single URL decode, by double encoding, an attacker can read files at the Ruler API endpoint /loki/api/v1/rules/{namespace} Thanks to Prasanth Sundararajan for reporting this vulnerabili | |
| CVE-2026-39883 | Hig | 7.0 | < 12.2.8.01-r4 | 12.2.8.01-r4 | Apr 8, 2026 | OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.15.0 to 1.42.0, the fix for CVE-2026-24051 changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platf | |
| CVE-2026-39882 | Med | 5.3 | < 12.2.8.01-r7 | 12.2.8.01-r7 | Apr 8, 2026 | OpenTelemetry-Go is the Go implementation of OpenTelemetry. Prior to 1.43.0, the otlp HTTP exporters (traces/metrics/logs) read the full HTTP response body into an in-memory bytes.Buffer without a size cap. This is exploitable for memory exhaustion when the configured collector e | |
| CVE-2026-34972 | Med | 5.0 | < 12.2.8.01-r3 | 12.2.8.01-r3 | Apr 6, 2026 | OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. From 1.8.0 to 1.13.1, under specific conditions, BatchCheck calls with multiple checks sent for the same object, relation, and user combination can res | |
| CVE-2026-33817 | — | < 0 | 0 | Apr 6, 2026 | Rejected reason: CVE confirmed to be a false positive | ||
| CVE-2026-34986 | Hig | 7.5 | < 12.2.8.01-r2 | 12.2.8.01-r2 | Apr 6, 2026 | Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JW | |
| CVE-2026-28375 | Med | 6.5 | < 0 | 0 | Mar 27, 2026 | A testdata data-source can be used to trigger out-of-memory crashes in Grafana. | |
| CVE-2026-27880 | Hig | 7.5 | < 12.2.8.01-r2 | 12.2.8.01-r2 | Mar 27, 2026 | The OpenFeature feature toggle evaluation endpoint reads unbounded values into memory, which can cause out-of-memory crashes. | |
| CVE-2026-27879 | Med | 6.5 | < 0 | 0 | Mar 27, 2026 | A resample query can be used to trigger out-of-memory crashes in Grafana. | |
| CVE-2026-27877 | Med | 6.5 | < 0 | 0 | Mar 27, 2026 | When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards. No passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as pos | |
| CVE-2026-27876 | Cri | 9.1 | < 0 | 0 | Mar 27, 2026 | A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impact (RCE). This is enabled by a feature in Grafana (OSS), so all users are always recommended to update to avoid future attack vectors going this path. Only inst | |
| CVE-2026-33729 | Cri | 9.8 | < 12.2.8-r1 | 12.2.8-r1 | Mar 27, 2026 | OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. In versions prior to 1.13.1, under specific conditions, models using conditions with caching enabled can result in two different check requests produci | |
| CVE-2026-32285 | Hig | 7.5 | < 12.2.7-r2 | 12.2.7-r2 | Mar 26, 2026 | The Delete function fails to properly validate offsets when processing malformed JSON input. This can lead to a negative slice index and a runtime panic, allowing a denial of service attack. | |
| CVE-2026-33186 | Cri | 9.1 | < 12.2.7-r1 | 12.2.7-r1 | Mar 20, 2026 | gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omi | |
| CVE-2026-1229 | — | < 12.2.8-r0 | 12.2.8-r0 | Feb 24, 2026 | The CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect value for specific inputs. The issue is fixed by using complete addition formulas. ECDH and ECDSA signing relying on this curve are not affected. The bug was fixed in v1.6.3 https:// | ||
| CVE-2026-24851 | — | < 12.2.5-r0 | 12.2.5-r0 | Feb 6, 2026 | OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA v1.8.5 to v1.11.2 ( openfga-0.2.22<= Helm chart <= openfga-0.2.51, v.1.8.5 <= docker <= v.1.11.2) are vulnerable to improper policy enforcement | ||
| CVE-2025-68121 | Cri | 10.0 | < 12.2.5-r0 | 12.2.5-r0 | Feb 5, 2026 | During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and | |
| CVE-2025-61732 | — | < 12.2.5-r0 | 12.2.5-r0 | Feb 5, 2026 | A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary. | ||
| CVE-2026-24051 | Hig | 7.0 | < 0 | 0 | Feb 2, 2026 | OpenTelemetry-Go is the Go implementation of OpenTelemetry. The OpenTelemetry Go SDK in version v1.20.0-1.39.0 is vulnerable to Path Hijacking (Untrusted Search Paths) on macOS/Darwin systems. The resource detection code in sdk/resource/host_id.go executes the ioreg system comman | |
| CVE-2025-61729 | — | < 12.2.2-r1 | 12.2.2-r1 | Dec 2, 2025 | Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a |
- affected < 12.2.9-r0fixed 12.2.9-r0
The CVE-2021-36156 fix validates the namespace parameter for path traversal sequences after a single URL decode, by double encoding, an attacker can read files at the Ruler API endpoint /loki/api/v1/rules/{namespace} Thanks to Prasanth Sundararajan for reporting this vulnerabili
- affected < 12.2.8.01-r4fixed 12.2.8.01-r4
OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.15.0 to 1.42.0, the fix for CVE-2026-24051 changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platf
- affected < 12.2.8.01-r7fixed 12.2.8.01-r7
OpenTelemetry-Go is the Go implementation of OpenTelemetry. Prior to 1.43.0, the otlp HTTP exporters (traces/metrics/logs) read the full HTTP response body into an in-memory bytes.Buffer without a size cap. This is exploitable for memory exhaustion when the configured collector e
- affected < 12.2.8.01-r3fixed 12.2.8.01-r3
OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. From 1.8.0 to 1.13.1, under specific conditions, BatchCheck calls with multiple checks sent for the same object, relation, and user combination can res
- CVE-2026-33817Apr 6, 2026affected < 0fixed 0
Rejected reason: CVE confirmed to be a false positive
- affected < 12.2.8.01-r2fixed 12.2.8.01-r2
Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JW
- affected < 0fixed 0
A testdata data-source can be used to trigger out-of-memory crashes in Grafana.
- affected < 12.2.8.01-r2fixed 12.2.8.01-r2
The OpenFeature feature toggle evaluation endpoint reads unbounded values into memory, which can cause out-of-memory crashes.
- affected < 0fixed 0
A resample query can be used to trigger out-of-memory crashes in Grafana.
- affected < 0fixed 0
When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards. No passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as pos
- affected < 0fixed 0
A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impact (RCE). This is enabled by a feature in Grafana (OSS), so all users are always recommended to update to avoid future attack vectors going this path. Only inst
- affected < 12.2.8-r1fixed 12.2.8-r1
OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. In versions prior to 1.13.1, under specific conditions, models using conditions with caching enabled can result in two different check requests produci
- affected < 12.2.7-r2fixed 12.2.7-r2
The Delete function fails to properly validate offsets when processing malformed JSON input. This can lead to a negative slice index and a runtime panic, allowing a denial of service attack.
- affected < 12.2.7-r1fixed 12.2.7-r1
gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omi
- CVE-2026-1229Feb 24, 2026affected < 12.2.8-r0fixed 12.2.8-r0
The CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect value for specific inputs. The issue is fixed by using complete addition formulas. ECDH and ECDSA signing relying on this curve are not affected. The bug was fixed in v1.6.3 https://
- CVE-2026-24851Feb 6, 2026affected < 12.2.5-r0fixed 12.2.5-r0
OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA v1.8.5 to v1.11.2 ( openfga-0.2.22<= Helm chart <= openfga-0.2.51, v.1.8.5 <= docker <= v.1.11.2) are vulnerable to improper policy enforcement
- affected < 12.2.5-r0fixed 12.2.5-r0
During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and
- CVE-2025-61732Feb 5, 2026affected < 12.2.5-r0fixed 12.2.5-r0
A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary.
- affected < 0fixed 0
OpenTelemetry-Go is the Go implementation of OpenTelemetry. The OpenTelemetry Go SDK in version v1.20.0-1.39.0 is vulnerable to Path Hijacking (Untrusted Search Paths) on macOS/Darwin systems. The resource detection code in sdk/resource/host_id.go executes the ioreg system comman
- CVE-2025-61729Dec 2, 2025affected < 12.2.2-r1fixed 12.2.2-r1
Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a
Page 2 of 3