VYPR

rpm package

almalinux/grafana

pkg:rpm/almalinux/grafana

Vulnerabilities (73)

  • CVE-2024-24789Jun 5, 2024
    affected < 9.2.10-17.el8_10fixed 9.2.10-17.el8_10

    The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip pac

  • CVE-2024-24790Jun 5, 2024
    affected < 9.2.10-17.el8_10fixed 9.2.10-17.el8_10

    The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms.

  • CVE-2024-24788MedMay 8, 2024
    affected < 9.2.10-17.el8_10fixed 9.2.10-17.el8_10

    A malformed DNS message in response to a query can cause the Lookup functions to get stuck in an infinite loop.

  • CVE-2024-1313MedMar 26, 2024
    affected < 9.2.10-16.el9_4.alma.1fixed 9.2.10-16.el9_4.alma.1

    It is possible for a user in a different organization from the owner of a snapshot to bypass authorization and delete a snapshot by issuing a DELETE request to /api/snapshots/ using its view key. This functionality is intended to only be available to individuals with the per

  • CVE-2024-1394HigMar 21, 2024
    affected < 9.2.10-8.el9_3.alma.1fixed 9.2.10-8.el9_3.alma.1

    A memory leak flaw was found in Golang in the RSA encrypting/decrypting code, which might lead to a resource exhaustion vulnerability using attacker-controlled inputs​. The memory leak happens in github.com/golang-fips/openssl/openssl/rsa.go#L113. The objects leaked are pkey​ and

  • CVE-2023-39325HigOct 11, 2023
    affected < 7.5.15-5.el8_8.alma.1fixed 7.5.15-5.el8_8.alma.1

    A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attack

  • CVE-2023-44487HigKEVOct 10, 2023
    affected < 7.5.15-5.el8_8.alma.1fixed 7.5.15-5.el8_8.alma.1

    The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

  • CVE-2023-3128CriJun 22, 2023
    affected < 9.0.9-3.el9_2.almafixed 9.0.9-3.el9_2.alma

    Grafana is validating Azure AD accounts based on the email claim. On Azure AD, the profile email field is not unique and can be easily modified. This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app.

  • CVE-2023-24534HigApr 6, 2023
    affected < 9.2.10-7.el9_3.alma.1fixed 9.2.10-7.el9_3.alma.1

    HTTP and MIME header parsing can allocate large amounts of memory, even when parsing small inputs, potentially leading to a denial of service. Certain unusual patterns of input data can cause the common function used to parse HTTP and MIME headers to allocate substantially more m

  • CVE-2022-39324MedJan 27, 2023
    affected < 9.2.10-7.el9_3.alma.1fixed 9.2.10-7.el9_3.alma.1

    Grafana is an open-source platform for monitoring and observability. Prior to versions 8.5.16 and 9.2.8, malicious user can create a snapshot and arbitrarily choose the `originalUrl` parameter by editing the query, thanks to a web proxy. When another user opens the URL of the sna

  • CVE-2022-23552HigJan 27, 2023
    affected < 9.2.10-7.el9_3.alma.1fixed 9.2.10-7.el9_3.alma.1

    Grafana is an open-source platform for monitoring and observability. Starting with the 8.1 branch and prior to versions 8.5.16, 9.2.10, and 9.3.4, Grafana had a stored XSS vulnerability affecting the core plugin GeoMap. The stored XSS vulnerability was possible because SVG files

  • CVE-2022-41717MedDec 8, 2022
    affected < 9.2.10-7.el9_3.alma.1fixed 9.2.10-7.el9_3.alma.1

    An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the s

  • CVE-2022-39307MedNov 9, 2022
    affected < 9.2.10-7.el9_3.alma.1fixed 9.2.10-7.el9_3.alma.1

    Grafana is an open-source platform for monitoring and observability. When using the forget password on the login page, a POST request is made to the `/api/user/password/sent-reset-email` URL. When the username or email does not exist, a JSON response contains a “user not found” m

  • CVE-2022-39306MedNov 9, 2022
    affected < 9.2.10-7.el9_3.alma.1fixed 9.2.10-7.el9_3.alma.1

    Grafana is an open-source platform for monitoring and observability. Versions prior to 9.2.4, or 8.5.15 on the 8.X branch, are subject to Improper Input Validation. Grafana admins can invite other members to the organization they are an admin for. When admins add members to the o

  • CVE-2022-41715HigOct 14, 2022
    affected < 9.0.9-2.el9fixed 9.0.9-2.el9

    Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of service. The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively sm

  • CVE-2022-2880HigOct 14, 2022
    affected < 9.0.9-2.el9fixed 9.0.9-2.el9

    Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparsable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparsable value. After fix, ReverseProxy s

  • CVE-2022-39229MedOct 13, 2022
    affected < 9.0.9-2.el9fixed 9.0.9-2.el9

    Grafana is an open source data visualization platform for metrics, logs, and traces. Versions prior to 9.1.8 and 8.5.14 allow one user to block another user's login attempt by registering someone else'e email address as a username. A Grafana user’s username and email address are

  • CVE-2022-39201MedOct 13, 2022
    affected < 9.2.10-7.el9_3.alma.1fixed 9.2.10-7.el9_3.alma.1

    Grafana is an open source observability and data visualization platform. Starting with version 5.0.0-beta1 and prior to versions 8.5.14 and 9.1.8, Grafana could leak the authentication cookie of users to plugins. The vulnerability impacts data source and plugin proxy endpoints un

  • CVE-2022-31130MedOct 13, 2022
    affected < 9.2.10-7.el9_3.alma.1fixed 9.2.10-7.el9_3.alma.1

    Grafana is an open source observability and data visualization platform. Versions of Grafana for endpoints prior to 9.1.8 and 8.5.14 could leak authentication tokens to some destination plugins under some conditions. The vulnerability impacts data source and plugin proxy endpoint

  • CVE-2022-31123MedOct 13, 2022
    affected < 9.2.10-7.el9_3.alma.1fixed 9.2.10-7.el9_3.alma.1

    Grafana is an open source observability and data visualization platform. Versions prior to 9.1.8 and 8.5.14 are vulnerable to a bypass in the plugin signature verification. An attacker can convince a server admin to download and successfully run a malicious plugin even though uns