rpm package
almalinux/grafana
pkg:rpm/almalinux/grafana
Vulnerabilities (73)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-32283 | Hig | 7.5 | < 10.2.6-26.el10_2 | 10.2.6-26.el10_2 | Apr 8, 2026 | If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service. This only affects TLS 1.3. | |
| CVE-2026-32282 | Med | 6.4 | < 10.2.6-26.el10_2 | 10.2.6-26.el10_2 | Apr 8, 2026 | On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root. The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which R | |
| CVE-2026-27877 | Med | 6.5 | < 10.2.6-24.el10_1 | 10.2.6-24.el10_1 | Mar 27, 2026 | When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards. No passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as pos | |
| CVE-2026-25679 | Hig | 7.5 | < 10.2.6-23.el10_1 | 10.2.6-23.el10_1 | Mar 6, 2026 | url.Parse insufficiently validated the host/authority component and accepted some invalid URLs. | |
| CVE-2025-68121 | Cri | 10.0 | < 10.2.6-22.el10_1 | 10.2.6-22.el10_1 | Feb 5, 2026 | During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and | |
| CVE-2025-61728 | — | < 10.2.6-22.el10_1 | 10.2.6-22.el10_1 | Jan 28, 2026 | archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive. | ||
| CVE-2025-61726 | — | < 10.2.6-22.el10_1 | 10.2.6-22.el10_1 | Jan 28, 2026 | The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a la | ||
| CVE-2026-21721 | Hig | 8.1 | < 10.2.6-22.el10_1 | 10.2.6-22.el10_1 | Jan 27, 2026 | The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an organization‑int | |
| CVE-2025-61729 | — | < 9.2.10-27.el8_10 | 9.2.10-27.el8_10 | Dec 2, 2025 | Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a | ||
| CVE-2025-58183 | Med | 4.3 | < 10.2.6-17.el9_7 | 10.2.6-17.el9_7 | Oct 29, 2025 | tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When r | |
| CVE-2025-4123 | Hig | 7.6 | < 10.2.6-13.el9_6 | 10.2.6-13.el9_6 | May 22, 2025 | A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend plugin that will execute arbitrary JavaScript. This vulnerability does not requir | |
| CVE-2025-22871 | Cri | 9.1 | < 10.2.6-18.el10_0 | 10.2.6-18.el10_0 | Apr 8, 2025 | The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext. | |
| CVE-2025-30204 | Hig | 7.5 | < 10.2.6-9.el9_5 | 10.2.6-9.el9_5 | Mar 21, 2025 | golang-jwt is a Go implementation of JSON Web Tokens. Starting in version 3.2.0 and prior to versions 5.2.2 and 4.5.2, the function parse.ParseUnverified splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a maliciou | |
| CVE-2025-21614 | — | < 9.2.10-21.el8_10 | 9.2.10-21.el8_10 | Jan 6, 2025 | go-git is a highly extensible git implementation library written in pure Go. A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.13. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted respons | ||
| CVE-2025-21613 | — | < 9.2.10-21.el8_10 | 9.2.10-21.el8_10 | Jan 6, 2025 | go-git is a highly extensible git implementation library written in pure Go. An argument injection vulnerability was discovered in go-git versions prior to v5.13. Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flag | ||
| CVE-2024-47875 | — | < 9.2.10-20.el8_10 | 9.2.10-20.el8_10 | Oct 11, 2024 | DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMpurify was vulnerable to nesting-based mXSS. This vulnerability is fixed in 2.5.0 and 3.1.3. | ||
| CVE-2024-9355 | Med | 6.5 | < 9.2.10-20.el8_10 | 9.2.10-20.el8_10 | Oct 1, 2024 | A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when co | |
| CVE-2024-34156 | Hig | 7.5 | < 9.2.10-17.el9_4 | 9.2.10-17.el9_4 | Sep 6, 2024 | Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635. | |
| CVE-2024-24791 | Hig | 7.5 | < 9.2.10-18.el8_10 | 9.2.10-18.el8_10 | Jul 2, 2024 | The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the co | |
| CVE-2024-6104 | — | < 10.2.6-4.el9 | 10.2.6-4.el9 | Jun 24, 2024 | go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7. |
- affected < 10.2.6-26.el10_2fixed 10.2.6-26.el10_2
If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service. This only affects TLS 1.3.
- affected < 10.2.6-26.el10_2fixed 10.2.6-26.el10_2
On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root. The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which R
- affected < 10.2.6-24.el10_1fixed 10.2.6-24.el10_1
When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards. No passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as pos
- affected < 10.2.6-23.el10_1fixed 10.2.6-23.el10_1
url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.
- affected < 10.2.6-22.el10_1fixed 10.2.6-22.el10_1
During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and
- CVE-2025-61728Jan 28, 2026affected < 10.2.6-22.el10_1fixed 10.2.6-22.el10_1
archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive.
- CVE-2025-61726Jan 28, 2026affected < 10.2.6-22.el10_1fixed 10.2.6-22.el10_1
The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a la
- affected < 10.2.6-22.el10_1fixed 10.2.6-22.el10_1
The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an organization‑int
- CVE-2025-61729Dec 2, 2025affected < 9.2.10-27.el8_10fixed 9.2.10-27.el8_10
Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a
- affected < 10.2.6-17.el9_7fixed 10.2.6-17.el9_7
tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When r
- affected < 10.2.6-13.el9_6fixed 10.2.6-13.el9_6
A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend plugin that will execute arbitrary JavaScript. This vulnerability does not requir
- affected < 10.2.6-18.el10_0fixed 10.2.6-18.el10_0
The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.
- affected < 10.2.6-9.el9_5fixed 10.2.6-9.el9_5
golang-jwt is a Go implementation of JSON Web Tokens. Starting in version 3.2.0 and prior to versions 5.2.2 and 4.5.2, the function parse.ParseUnverified splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a maliciou
- CVE-2025-21614Jan 6, 2025affected < 9.2.10-21.el8_10fixed 9.2.10-21.el8_10
go-git is a highly extensible git implementation library written in pure Go. A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.13. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted respons
- CVE-2025-21613Jan 6, 2025affected < 9.2.10-21.el8_10fixed 9.2.10-21.el8_10
go-git is a highly extensible git implementation library written in pure Go. An argument injection vulnerability was discovered in go-git versions prior to v5.13. Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flag
- CVE-2024-47875Oct 11, 2024affected < 9.2.10-20.el8_10fixed 9.2.10-20.el8_10
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMpurify was vulnerable to nesting-based mXSS. This vulnerability is fixed in 2.5.0 and 3.1.3.
- affected < 9.2.10-20.el8_10fixed 9.2.10-20.el8_10
A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when co
- affected < 9.2.10-17.el9_4fixed 9.2.10-17.el9_4
Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.
- affected < 9.2.10-18.el8_10fixed 9.2.10-18.el8_10
The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the co
- CVE-2024-6104Jun 24, 2024affected < 10.2.6-4.el9fixed 10.2.6-4.el9
go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7.
Page 1 of 4