VYPR

Bitnami package

grafana

pkg:bitnami/grafana

Vulnerabilities (100)

  • CVE-2024-8118MedSep 26, 2024
    affected >= 8.5.0, < 10.4.9fixed 10.4.9

    In Grafana, the wrong permission is applied to the alert rule write API endpoint, allowing users with permission to write external alert instances to also write alert rules.

  • CVE-2024-6322MedAug 20, 2024
    affected >= 11.1.0, < 11.1.3fixed 11.1.3

    Access control for plugin data sources protected by the ReqActions json field of the plugin.json is bypassed if the user or service account is granted associated access to any other data source, as the ReqActions check was not scoped to each specific datasource. The account must

  • CVE-2024-1313MedMar 26, 2024
    affected >= 9.5.0, < 9.5.18fixed 9.5.18

    It is possible for a user in a different organization from the owner of a snapshot to bypass authorization and delete a snapshot by issuing a DELETE request to /api/snapshots/ using its view key. This functionality is intended to only be available to individuals with the per

  • CVE-2024-1442Mar 7, 2024
    affected >= 8.5.0, < 9.5.7fixed 9.5.7

    A user with the permissions to create a data source can use Grafana API to create a data source with UID set to *. Doing this will grant the user access to read, query, edit and delete all data sources within the organization.

  • CVE-2023-5122Feb 14, 2024
    affected < 0.6.13fixed 0.6.13

    Grafana is an open-source platform for monitoring and observability. The CSV datasource plugin is a Grafana Labs maintained plugin for Grafana that allows for retrieving and processing CSV data from a remote endpoint configured by an administrator. If this plugin was configured t

  • CVE-2023-6152Feb 13, 2024
    affected >= 2.5.0, < 9.5.16fixed 9.5.16

    A user changing their email after signing up and verifying it can change it without verification in profile settings. The configuration option "verify_email_enabled" will only validate email only on sign up.

  • CVE-2023-4399MedOct 17, 2023
    affected >= 9.4.0, < 9.4.17fixed 9.4.17

    Grafana is an open-source platform for monitoring and observability. In Grafana Enterprise, Request security is a deny list that allows admins to configure Grafana in a way so that the instance doesn’t call specific hosts. However, the restriction can be bypassed used punycode

  • CVE-2023-4822MedOct 16, 2023
    affected >= 8.0.0, < 9.4.16fixed 9.4.16

    Grafana is an open-source platform for monitoring and observability. The vulnerability impacts Grafana instances with several organizations, and allows a user with Organization Admin permissions in one organization to change the permissions associated with Organization Viewer, Or

  • CVE-2023-3128CriJun 22, 2023
    affected >= 6.7.0, < 8.5.27fixed 8.5.27

    Grafana is validating Azure AD accounts based on the email claim. On Azure AD, the profile email field is not unique and can be easily modified. This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app.

  • CVE-2023-2801HigJun 6, 2023
    affected >= 9.4.0, < 9.4.12fixed 9.4.12

    Grafana is an open-source platform for monitoring and observability. Using public dashboards users can query multiple distinct data sources using mixed queries. However such query has a possibility of crashing a Grafana instance. The only feature that uses mixed queries at the

  • CVE-2023-2183MedJun 6, 2023
    affected >= 8.0.0, < 8.5.26fixed 8.5.26

    Grafana is an open-source platform for monitoring and observability. The option to send a test alert is not available from the user panel UI for users having the Viewer role. It is still possible for a user with the Viewer role to send a test alert using the API as the API does

  • CVE-2023-1387MedApr 26, 2023
    affected >= 9.1.0, < 9.2.17fixed 9.2.17

    Grafana is an open-source platform for monitoring and observability. Starting with the 9.1 branch, Grafana introduced the ability to search for a JWT in the URL query parameter auth_token and use it as the authentication token. By enabling the "url_login" configuration option

  • CVE-2023-1410MedMar 23, 2023
    affected >= 8.0.0, < 8.5.22fixed 8.5.22

    Grafana is an open-source platform for monitoring and observability.  Grafana had a stored XSS vulnerability in the Graphite FunctionDescription tooltip. The stored XSS vulnerability was possible due the value of the Function Description was not properly sanitized. An attacke

  • CVE-2023-22462MedMar 2, 2023
    affected >= 9.2.0, < 9.2.10fixed 9.2.10

    Grafana is an open-source platform for monitoring and observability. On 2023-01-01 during an internal audit of Grafana, a member of the security team found a stored XSS vulnerability affecting the core plugin "Text". The stored XSS vulnerability requires several user interactions

  • CVE-2023-0594HigMar 1, 2023
    affected >= 7.0.0, < 8.5.21fixed 8.5.21

    Grafana is an open-source platform for monitoring and observability. Starting with the 7.0 branch, Grafana had a stored XSS vulnerability in the trace view visualization. The stored XSS vulnerability was possible due the value of a span's attributes/resources were not properl

  • CVE-2023-0507HigMar 1, 2023
    affected >= 8.1.0, < 8.5.21fixed 8.5.21

    Grafana is an open-source platform for monitoring and observability. Starting with the 8.1 branch, Grafana had a stored XSS vulnerability affecting the core plugin GeoMap. The stored XSS vulnerability was possible due to map attributions weren't properly sanitized and allowed

  • CVE-2022-23498HigFeb 3, 2023
    affected >= 8.3.1, < 9.2.10fixed 9.2.10

    Grafana is an open-source platform for monitoring and observability. When datasource query caching is enabled, Grafana caches all headers, including `grafana_session`. As a result, any user that queries a datasource where the caching is enabled can acquire another user’s session.

  • CVE-2022-39324MedJan 27, 2023
    affected < 8.5.16fixed 8.5.16

    Grafana is an open-source platform for monitoring and observability. Prior to versions 8.5.16 and 9.2.8, malicious user can create a snapshot and arbitrarily choose the `originalUrl` parameter by editing the query, thanks to a web proxy. When another user opens the URL of the sna

  • CVE-2022-23552HigJan 27, 2023
    affected >= 8.1.0, < 8.5.16fixed 8.5.16

    Grafana is an open-source platform for monitoring and observability. Starting with the 8.1 branch and prior to versions 8.5.16, 9.2.10, and 9.3.4, Grafana had a stored XSS vulnerability affecting the core plugin GeoMap. The stored XSS vulnerability was possible because SVG files

  • CVE-2022-39307MedNov 9, 2022
    affected < 8.5.15fixed 8.5.15

    Grafana is an open-source platform for monitoring and observability. When using the forget password on the login page, a POST request is made to the `/api/user/password/sent-reset-email` URL. When the username or email does not exist, a JSON response contains a “user not found” m