Bitnami package
grafana
pkg:bitnami/grafana
Vulnerabilities (100)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-8118 | Med | — | >= 8.5.0, < 10.4.9 | 10.4.9 | Sep 26, 2024 | In Grafana, the wrong permission is applied to the alert rule write API endpoint, allowing users with permission to write external alert instances to also write alert rules. | |
| CVE-2024-6322 | Med | 5.4 | >= 11.1.0, < 11.1.3 | 11.1.3 | Aug 20, 2024 | Access control for plugin data sources protected by the ReqActions json field of the plugin.json is bypassed if the user or service account is granted associated access to any other data source, as the ReqActions check was not scoped to each specific datasource. The account must | |
| CVE-2024-1313 | Med | 6.5 | >= 9.5.0, < 9.5.18 | 9.5.18 | Mar 26, 2024 | It is possible for a user in a different organization from the owner of a snapshot to bypass authorization and delete a snapshot by issuing a DELETE request to /api/snapshots/ using its view key. This functionality is intended to only be available to individuals with the per | |
| CVE-2024-1442 | Med | 6.0 | >= 8.5.0, < 9.5.7 | 9.5.7 | Mar 7, 2024 | A user with the permissions to create a data source can use Grafana API to create a data source with UID set to *. Doing this will grant the user access to read, query, edit and delete all data sources within the organization. | |
| CVE-2023-5122 | Med | 5.0 | < 0.6.13 | 0.6.13 | Feb 14, 2024 | Grafana is an open-source platform for monitoring and observability. The CSV datasource plugin is a Grafana Labs maintained plugin for Grafana that allows for retrieving and processing CSV data from a remote endpoint configured by an administrator. If this plugin was configured t | |
| CVE-2023-6152 | Med | 5.4 | >= 2.5.0, < 9.5.16 | 9.5.16 | Feb 13, 2024 | A user changing their email after signing up and verifying it can change it without verification in profile settings. The configuration option "verify_email_enabled" will only validate email only on sign up. | |
| CVE-2023-4399 | Med | 6.6 | >= 9.4.0, < 9.4.17 | 9.4.17 | Oct 17, 2023 | Grafana is an open-source platform for monitoring and observability. In Grafana Enterprise, Request security is a deny list that allows admins to configure Grafana in a way so that the instance doesn’t call specific hosts. However, the restriction can be bypassed used punycode | |
| CVE-2023-4822 | Med | 6.7 | >= 8.0.0, < 9.4.16 | 9.4.16 | Oct 16, 2023 | Grafana is an open-source platform for monitoring and observability. The vulnerability impacts Grafana instances with several organizations, and allows a user with Organization Admin permissions in one organization to change the permissions associated with Organization Viewer, Or | |
| CVE-2023-3128 | Cri | 9.4 | >= 6.7.0, < 8.5.27 | 8.5.27 | Jun 22, 2023 | Grafana is validating Azure AD accounts based on the email claim. On Azure AD, the profile email field is not unique and can be easily modified. This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app. | |
| CVE-2023-2801 | Hig | 7.5 | >= 9.4.0, < 9.4.12 | 9.4.12 | Jun 6, 2023 | Grafana is an open-source platform for monitoring and observability. Using public dashboards users can query multiple distinct data sources using mixed queries. However such query has a possibility of crashing a Grafana instance. The only feature that uses mixed queries at the | |
| CVE-2023-2183 | Med | 4.1 | >= 8.0.0, < 8.5.26 | 8.5.26 | Jun 6, 2023 | Grafana is an open-source platform for monitoring and observability. The option to send a test alert is not available from the user panel UI for users having the Viewer role. It is still possible for a user with the Viewer role to send a test alert using the API as the API does | |
| CVE-2023-1387 | Med | 4.2 | >= 9.1.0, < 9.2.17 | 9.2.17 | Apr 26, 2023 | Grafana is an open-source platform for monitoring and observability. Starting with the 9.1 branch, Grafana introduced the ability to search for a JWT in the URL query parameter auth_token and use it as the authentication token. By enabling the "url_login" configuration option | |
| CVE-2023-1410 | Med | 6.2 | >= 8.0.0, < 8.5.22 | 8.5.22 | Mar 23, 2023 | Grafana is an open-source platform for monitoring and observability. Grafana had a stored XSS vulnerability in the Graphite FunctionDescription tooltip. The stored XSS vulnerability was possible due the value of the Function Description was not properly sanitized. An attacke | |
| CVE-2023-22462 | Med | 6.4 | >= 9.2.0, < 9.2.10 | 9.2.10 | Mar 2, 2023 | Grafana is an open-source platform for monitoring and observability. On 2023-01-01 during an internal audit of Grafana, a member of the security team found a stored XSS vulnerability affecting the core plugin "Text". The stored XSS vulnerability requires several user interactions | |
| CVE-2023-0594 | Hig | 7.3 | >= 7.0.0, < 8.5.21 | 8.5.21 | Mar 1, 2023 | Grafana is an open-source platform for monitoring and observability. Starting with the 7.0 branch, Grafana had a stored XSS vulnerability in the trace view visualization. The stored XSS vulnerability was possible due the value of a span's attributes/resources were not properl | |
| CVE-2023-0507 | Hig | 7.3 | >= 8.1.0, < 8.5.21 | 8.5.21 | Mar 1, 2023 | Grafana is an open-source platform for monitoring and observability. Starting with the 8.1 branch, Grafana had a stored XSS vulnerability affecting the core plugin GeoMap. The stored XSS vulnerability was possible due to map attributions weren't properly sanitized and allowed | |
| CVE-2022-23498 | Hig | 7.1 | >= 8.3.1, < 9.2.10 | 9.2.10 | Feb 3, 2023 | Grafana is an open-source platform for monitoring and observability. When datasource query caching is enabled, Grafana caches all headers, including `grafana_session`. As a result, any user that queries a datasource where the caching is enabled can acquire another user’s session. | |
| CVE-2022-39324 | Med | 6.7 | < 8.5.16 | 8.5.16 | Jan 27, 2023 | Grafana is an open-source platform for monitoring and observability. Prior to versions 8.5.16 and 9.2.8, malicious user can create a snapshot and arbitrarily choose the `originalUrl` parameter by editing the query, thanks to a web proxy. When another user opens the URL of the sna | |
| CVE-2022-23552 | Hig | 7.3 | >= 8.1.0, < 8.5.16 | 8.5.16 | Jan 27, 2023 | Grafana is an open-source platform for monitoring and observability. Starting with the 8.1 branch and prior to versions 8.5.16, 9.2.10, and 9.3.4, Grafana had a stored XSS vulnerability affecting the core plugin GeoMap. The stored XSS vulnerability was possible because SVG files | |
| CVE-2022-39307 | Med | 6.7 | < 8.5.15 | 8.5.15 | Nov 9, 2022 | Grafana is an open-source platform for monitoring and observability. When using the forget password on the login page, a POST request is made to the `/api/user/password/sent-reset-email` URL. When the username or email does not exist, a JSON response contains a “user not found” m |
- affected >= 8.5.0, < 10.4.9fixed 10.4.9
In Grafana, the wrong permission is applied to the alert rule write API endpoint, allowing users with permission to write external alert instances to also write alert rules.
- affected >= 11.1.0, < 11.1.3fixed 11.1.3
Access control for plugin data sources protected by the ReqActions json field of the plugin.json is bypassed if the user or service account is granted associated access to any other data source, as the ReqActions check was not scoped to each specific datasource. The account must
- affected >= 9.5.0, < 9.5.18fixed 9.5.18
It is possible for a user in a different organization from the owner of a snapshot to bypass authorization and delete a snapshot by issuing a DELETE request to /api/snapshots/ using its view key. This functionality is intended to only be available to individuals with the per
- affected >= 8.5.0, < 9.5.7fixed 9.5.7
A user with the permissions to create a data source can use Grafana API to create a data source with UID set to *. Doing this will grant the user access to read, query, edit and delete all data sources within the organization.
- affected < 0.6.13fixed 0.6.13
Grafana is an open-source platform for monitoring and observability. The CSV datasource plugin is a Grafana Labs maintained plugin for Grafana that allows for retrieving and processing CSV data from a remote endpoint configured by an administrator. If this plugin was configured t
- affected >= 2.5.0, < 9.5.16fixed 9.5.16
A user changing their email after signing up and verifying it can change it without verification in profile settings. The configuration option "verify_email_enabled" will only validate email only on sign up.
- affected >= 9.4.0, < 9.4.17fixed 9.4.17
Grafana is an open-source platform for monitoring and observability. In Grafana Enterprise, Request security is a deny list that allows admins to configure Grafana in a way so that the instance doesn’t call specific hosts. However, the restriction can be bypassed used punycode
- affected >= 8.0.0, < 9.4.16fixed 9.4.16
Grafana is an open-source platform for monitoring and observability. The vulnerability impacts Grafana instances with several organizations, and allows a user with Organization Admin permissions in one organization to change the permissions associated with Organization Viewer, Or
- affected >= 6.7.0, < 8.5.27fixed 8.5.27
Grafana is validating Azure AD accounts based on the email claim. On Azure AD, the profile email field is not unique and can be easily modified. This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app.
- affected >= 9.4.0, < 9.4.12fixed 9.4.12
Grafana is an open-source platform for monitoring and observability. Using public dashboards users can query multiple distinct data sources using mixed queries. However such query has a possibility of crashing a Grafana instance. The only feature that uses mixed queries at the
- affected >= 8.0.0, < 8.5.26fixed 8.5.26
Grafana is an open-source platform for monitoring and observability. The option to send a test alert is not available from the user panel UI for users having the Viewer role. It is still possible for a user with the Viewer role to send a test alert using the API as the API does
- affected >= 9.1.0, < 9.2.17fixed 9.2.17
Grafana is an open-source platform for monitoring and observability. Starting with the 9.1 branch, Grafana introduced the ability to search for a JWT in the URL query parameter auth_token and use it as the authentication token. By enabling the "url_login" configuration option
- affected >= 8.0.0, < 8.5.22fixed 8.5.22
Grafana is an open-source platform for monitoring and observability. Grafana had a stored XSS vulnerability in the Graphite FunctionDescription tooltip. The stored XSS vulnerability was possible due the value of the Function Description was not properly sanitized. An attacke
- affected >= 9.2.0, < 9.2.10fixed 9.2.10
Grafana is an open-source platform for monitoring and observability. On 2023-01-01 during an internal audit of Grafana, a member of the security team found a stored XSS vulnerability affecting the core plugin "Text". The stored XSS vulnerability requires several user interactions
- affected >= 7.0.0, < 8.5.21fixed 8.5.21
Grafana is an open-source platform for monitoring and observability. Starting with the 7.0 branch, Grafana had a stored XSS vulnerability in the trace view visualization. The stored XSS vulnerability was possible due the value of a span's attributes/resources were not properl
- affected >= 8.1.0, < 8.5.21fixed 8.5.21
Grafana is an open-source platform for monitoring and observability. Starting with the 8.1 branch, Grafana had a stored XSS vulnerability affecting the core plugin GeoMap. The stored XSS vulnerability was possible due to map attributions weren't properly sanitized and allowed
- affected >= 8.3.1, < 9.2.10fixed 9.2.10
Grafana is an open-source platform for monitoring and observability. When datasource query caching is enabled, Grafana caches all headers, including `grafana_session`. As a result, any user that queries a datasource where the caching is enabled can acquire another user’s session.
- affected < 8.5.16fixed 8.5.16
Grafana is an open-source platform for monitoring and observability. Prior to versions 8.5.16 and 9.2.8, malicious user can create a snapshot and arbitrarily choose the `originalUrl` parameter by editing the query, thanks to a web proxy. When another user opens the URL of the sna
- affected >= 8.1.0, < 8.5.16fixed 8.5.16
Grafana is an open-source platform for monitoring and observability. Starting with the 8.1 branch and prior to versions 8.5.16, 9.2.10, and 9.3.4, Grafana had a stored XSS vulnerability affecting the core plugin GeoMap. The stored XSS vulnerability was possible because SVG files
- affected < 8.5.15fixed 8.5.15
Grafana is an open-source platform for monitoring and observability. When using the forget password on the login page, a POST request is made to the `/api/user/password/sent-reset-email` URL. When the username or email does not exist, a JSON response contains a “user not found” m
Page 3 of 5