VYPR

Bitnami package

grafana

pkg:bitnami/grafana

Vulnerabilities (100)

  • CVE-2021-43815MedDec 10, 2021
    affected < 7.5.12fixed 7.5.12

    Grafana is an open-source platform for monitoring and observability. Grafana prior to versions 8.3.2 and 7.5.12 has a directory traversal for arbitrary .csv files. It only affects instances that have the developer testing tool called TestData DB data source enabled and configured

  • CVE-2021-43813MedDec 10, 2021
    affected >= 5.0.0, < 7.5.12fixed 7.5.12

    Grafana is an open-source platform for monitoring and observability. Grafana prior to versions 8.3.2 and 7.5.12 contains a directory traversal vulnerability for fully lowercase or fully uppercase .md files. The vulnerability is limited in scope, and only allows access to files wi

  • CVE-2021-43798HigKEVDec 7, 2021
    affected >= 8.0.1, < 8.0.7fixed 8.0.7

    Grafana is an open-source platform for monitoring and observability. Grafana versions 8.0.0-beta1 through 8.3.0 (except for patched versions) iss vulnerable to directory traversal, allowing access to local files. The vulnerable URL path is: `<grafana_host_url>/public/plugins//`,

  • CVE-2021-41244CriNov 15, 2021
    affected >= 8.0.0, < 8.2.4fixed 8.2.4

    Grafana is an open-source platform for monitoring and observability. In affected versions when the fine-grained access control beta feature is enabled and there is more than one organization in the Grafana instance admins are able to access users from other organizations. Grafana

  • CVE-2021-41174MedNov 3, 2021
    affected >= 8.0.0, < 8.2.3fixed 8.2.3

    Grafana is an open-source platform for monitoring and observability. In affected versions if an attacker is able to convince a victim to visit a URL referencing a vulnerable page, arbitrary JavaScript content may be executed within the context of the victim's browser. The user vi

  • CVE-2021-39226CriKEVOct 5, 2021
    affected < 7.5.11fixed 7.5.11

    Grafana is an open source data visualization platform. In affected versions unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths: /dashboard/snapshot/:key, or /api/snapshots/:key. If the snapshot "public

  • CVE-2021-28148HigMar 22, 2021
    affected >= 6.0.0, < 6.7.6fixed 6.7.6

    One of the usage insights HTTP API endpoints in Grafana Enterprise 6.x before 6.7.6, 7.x before 7.3.10, and 7.4.x before 7.4.5 is accessible without any authentication. This allows any unauthenticated user to send an unlimited number of requests to the endpoint, leading to a deni

  • CVE-2021-28147MedMar 22, 2021
    affected >= 6.0.0, < 6.7.6fixed 6.7.6

    The team sync HTTP API in Grafana Enterprise 6.x before 6.7.6, 7.x before 7.3.10, and 7.4.x before 7.4.5 has an Incorrect Access Control issue. On Grafana instances using an external authentication service and having the EditorsCanAdmin feature enabled, this vulnerability allows

  • CVE-2021-28146MedMar 22, 2021
    affected >= 7.4.0, < 7.4.5fixed 7.4.5

    The team sync HTTP API in Grafana Enterprise 7.4.x before 7.4.5 has an Incorrect Access Control issue. On Grafana instances using an external authentication service, this vulnerability allows any authenticated user to add external groups to existing teams. This can be used to gra

  • CVE-2021-27962HigMar 22, 2021
    affected >= 7.2.0, < 7.3.10fixed 7.3.10

    Grafana Enterprise 7.2.x and 7.3.x before 7.3.10 and 7.4.x before 7.4.5 allows a dashboard editor to bypass a permission check concerning a data source they should not be able to access.

  • CVE-2021-27358HigMar 18, 2021
    affected >= 6.7.3, < 7.4.2fixed 7.4.2

    The snapshot feature in Grafana 6.7.3 through 7.4.1 can allow an unauthenticated remote attackers to trigger a Denial of Service via a remote API call if a commonly used configuration is set.

  • CVE-2020-27846CriDec 21, 2020
    affected < 6.7.5fixed 6.7.5

    A signature verification vulnerability exists in crewjam/saml. This flaw allows an attacker to bypass SAML Authentication. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.

  • CVE-2020-24303MedOct 28, 2020
    affected < 7.0.6fixed 7.0.6

    Grafana before 7.1.0-beta 1 allows XSS via a query alias for the ElasticSearch datasource.

  • CVE-2020-11110MedJul 27, 2020
    affected < 6.7.2fixed 6.7.2

    Grafana through 6.7.1 allows stored XSS due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot.

  • CVE-2020-13379HigJun 3, 2020
    affected >= 3.0.1, < 7.0.2fixed 7.0.2

    The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information abo

  • CVE-2020-13430MedMay 24, 2020
    affected < 7.0.0fixed 7.0.0

    Grafana before 7.0.0 allows tag value XSS via the OpenTSDB datasource.

  • CVE-2020-12459MedApr 29, 2020
    affected >= 6.0.0, < 6.3.7fixed 6.3.7

    In certain Red Hat packages for Grafana 6.x through 6.3.6, the configuration files /etc/grafana/grafana.ini and /etc/grafana/ldap.toml (which contain a secret_key and a bind_password) are world readable.

  • CVE-2020-12458MedApr 29, 2020
    affected < 6.7.4fixed 6.7.4

    An information-disclosure flaw was found in Grafana through 6.7.3. The database directory /var/lib/grafana and database file /var/lib/grafana/grafana.db are world readable. This can result in exposure of sensitive information (e.g., cleartext or encrypted datasource passwords).

  • CVE-2020-12052MedApr 27, 2020
    affected < 6.7.3fixed 6.7.3

    Grafana version < 6.7.3 is vulnerable for annotation popup XSS.

  • CVE-2020-12245MedApr 24, 2020
    affected < 6.7.3fixed 6.7.3

    Grafana before 6.7.3 allows table-panel XSS via column.title or cellLinkTooltip.

Page 5 of 5