Bitnami package
grafana
pkg:bitnami/grafana
Vulnerabilities (97)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2021-41244 | — | >= 8.0.0, < 8.2.4 | 8.2.4 | Nov 15, 2021 | Grafana is an open-source platform for monitoring and observability. In affected versions when the fine-grained access control beta feature is enabled and there is more than one organization in the Grafana instance admins are able to access users from other organizations. Grafana | ||
| CVE-2021-41174 | — | >= 8.0.0, < 8.2.3 | 8.2.3 | Nov 3, 2021 | Grafana is an open-source platform for monitoring and observability. In affected versions if an attacker is able to convince a victim to visit a URL referencing a vulnerable page, arbitrary JavaScript content may be executed within the context of the victim's browser. The user vi | ||
| CVE-2021-39226 | — | KEV | < 7.5.11 | 7.5.11 | Oct 5, 2021 | Grafana is an open source data visualization platform. In affected versions unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths: /dashboard/snapshot/:key, or /api/snapshots/:key. If the snapshot "public | |
| CVE-2021-28148 | — | >= 6.0.0, < 6.7.6 | 6.7.6 | Mar 22, 2021 | One of the usage insights HTTP API endpoints in Grafana Enterprise 6.x before 6.7.6, 7.x before 7.3.10, and 7.4.x before 7.4.5 is accessible without any authentication. This allows any unauthenticated user to send an unlimited number of requests to the endpoint, leading to a deni | ||
| CVE-2021-28147 | — | >= 6.0.0, < 6.7.6 | 6.7.6 | Mar 22, 2021 | The team sync HTTP API in Grafana Enterprise 6.x before 6.7.6, 7.x before 7.3.10, and 7.4.x before 7.4.5 has an Incorrect Access Control issue. On Grafana instances using an external authentication service and having the EditorsCanAdmin feature enabled, this vulnerability allows | ||
| CVE-2021-28146 | — | >= 7.4.0, < 7.4.5 | 7.4.5 | Mar 22, 2021 | The team sync HTTP API in Grafana Enterprise 7.4.x before 7.4.5 has an Incorrect Access Control issue. On Grafana instances using an external authentication service, this vulnerability allows any authenticated user to add external groups to existing teams. This can be used to gra | ||
| CVE-2021-27962 | — | >= 7.2.0, < 7.3.10 | 7.3.10 | Mar 22, 2021 | Grafana Enterprise 7.2.x and 7.3.x before 7.3.10 and 7.4.x before 7.4.5 allows a dashboard editor to bypass a permission check concerning a data source they should not be able to access. | ||
| CVE-2021-27358 | — | >= 6.7.3, < 7.4.2 | 7.4.2 | Mar 18, 2021 | The snapshot feature in Grafana 6.7.3 through 7.4.1 can allow an unauthenticated remote attackers to trigger a Denial of Service via a remote API call if a commonly used configuration is set. | ||
| CVE-2020-27846 | — | < 6.7.5 | 6.7.5 | Dec 21, 2020 | A signature verification vulnerability exists in crewjam/saml. This flaw allows an attacker to bypass SAML Authentication. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. | ||
| CVE-2020-24303 | — | < 7.0.6 | 7.0.6 | Oct 28, 2020 | Grafana before 7.1.0-beta 1 allows XSS via a query alias for the ElasticSearch datasource. | ||
| CVE-2020-11110 | — | < 6.7.2 | 6.7.2 | Jul 27, 2020 | Grafana through 6.7.1 allows stored XSS due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot. | ||
| CVE-2020-13379 | — | >= 3.0.1, < 7.0.2 | 7.0.2 | Jun 3, 2020 | The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information abo | ||
| CVE-2020-13430 | — | < 7.0.0 | 7.0.0 | May 24, 2020 | Grafana before 7.0.0 allows tag value XSS via the OpenTSDB datasource. | ||
| CVE-2020-12458 | — | < 6.7.4 | 6.7.4 | Apr 29, 2020 | An information-disclosure flaw was found in Grafana through 6.7.3. The database directory /var/lib/grafana and database file /var/lib/grafana/grafana.db are world readable. This can result in exposure of sensitive information (e.g., cleartext or encrypted datasource passwords). | ||
| CVE-2020-12459 | — | >= 6.0.0, < 6.3.7 | 6.3.7 | Apr 29, 2020 | In certain Red Hat packages for Grafana 6.x through 6.3.6, the configuration files /etc/grafana/grafana.ini and /etc/grafana/ldap.toml (which contain a secret_key and a bind_password) are world readable. | ||
| CVE-2020-12052 | — | < 6.7.3 | 6.7.3 | Apr 27, 2020 | Grafana version < 6.7.3 is vulnerable for annotation popup XSS. | ||
| CVE-2020-12245 | — | < 6.7.3 | 6.7.3 | Apr 24, 2020 | Grafana before 6.7.3 allows table-panel XSS via column.title or cellLinkTooltip. |
- CVE-2021-41244Nov 15, 2021affected >= 8.0.0, < 8.2.4fixed 8.2.4
Grafana is an open-source platform for monitoring and observability. In affected versions when the fine-grained access control beta feature is enabled and there is more than one organization in the Grafana instance admins are able to access users from other organizations. Grafana
- CVE-2021-41174Nov 3, 2021affected >= 8.0.0, < 8.2.3fixed 8.2.3
Grafana is an open-source platform for monitoring and observability. In affected versions if an attacker is able to convince a victim to visit a URL referencing a vulnerable page, arbitrary JavaScript content may be executed within the context of the victim's browser. The user vi
- affected < 7.5.11fixed 7.5.11
Grafana is an open source data visualization platform. In affected versions unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths: /dashboard/snapshot/:key, or /api/snapshots/:key. If the snapshot "public
- CVE-2021-28148Mar 22, 2021affected >= 6.0.0, < 6.7.6fixed 6.7.6
One of the usage insights HTTP API endpoints in Grafana Enterprise 6.x before 6.7.6, 7.x before 7.3.10, and 7.4.x before 7.4.5 is accessible without any authentication. This allows any unauthenticated user to send an unlimited number of requests to the endpoint, leading to a deni
- CVE-2021-28147Mar 22, 2021affected >= 6.0.0, < 6.7.6fixed 6.7.6
The team sync HTTP API in Grafana Enterprise 6.x before 6.7.6, 7.x before 7.3.10, and 7.4.x before 7.4.5 has an Incorrect Access Control issue. On Grafana instances using an external authentication service and having the EditorsCanAdmin feature enabled, this vulnerability allows
- CVE-2021-28146Mar 22, 2021affected >= 7.4.0, < 7.4.5fixed 7.4.5
The team sync HTTP API in Grafana Enterprise 7.4.x before 7.4.5 has an Incorrect Access Control issue. On Grafana instances using an external authentication service, this vulnerability allows any authenticated user to add external groups to existing teams. This can be used to gra
- CVE-2021-27962Mar 22, 2021affected >= 7.2.0, < 7.3.10fixed 7.3.10
Grafana Enterprise 7.2.x and 7.3.x before 7.3.10 and 7.4.x before 7.4.5 allows a dashboard editor to bypass a permission check concerning a data source they should not be able to access.
- CVE-2021-27358Mar 18, 2021affected >= 6.7.3, < 7.4.2fixed 7.4.2
The snapshot feature in Grafana 6.7.3 through 7.4.1 can allow an unauthenticated remote attackers to trigger a Denial of Service via a remote API call if a commonly used configuration is set.
- CVE-2020-27846Dec 21, 2020affected < 6.7.5fixed 6.7.5
A signature verification vulnerability exists in crewjam/saml. This flaw allows an attacker to bypass SAML Authentication. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
- CVE-2020-24303Oct 28, 2020affected < 7.0.6fixed 7.0.6
Grafana before 7.1.0-beta 1 allows XSS via a query alias for the ElasticSearch datasource.
- CVE-2020-11110Jul 27, 2020affected < 6.7.2fixed 6.7.2
Grafana through 6.7.1 allows stored XSS due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot.
- CVE-2020-13379Jun 3, 2020affected >= 3.0.1, < 7.0.2fixed 7.0.2
The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information abo
- CVE-2020-13430May 24, 2020affected < 7.0.0fixed 7.0.0
Grafana before 7.0.0 allows tag value XSS via the OpenTSDB datasource.
- CVE-2020-12458Apr 29, 2020affected < 6.7.4fixed 6.7.4
An information-disclosure flaw was found in Grafana through 6.7.3. The database directory /var/lib/grafana and database file /var/lib/grafana/grafana.db are world readable. This can result in exposure of sensitive information (e.g., cleartext or encrypted datasource passwords).
- CVE-2020-12459Apr 29, 2020affected >= 6.0.0, < 6.3.7fixed 6.3.7
In certain Red Hat packages for Grafana 6.x through 6.3.6, the configuration files /etc/grafana/grafana.ini and /etc/grafana/ldap.toml (which contain a secret_key and a bind_password) are world readable.
- CVE-2020-12052Apr 27, 2020affected < 6.7.3fixed 6.7.3
Grafana version < 6.7.3 is vulnerable for annotation popup XSS.
- CVE-2020-12245Apr 24, 2020affected < 6.7.3fixed 6.7.3
Grafana before 6.7.3 allows table-panel XSS via column.title or cellLinkTooltip.
Page 5 of 5