rpm package
almalinux/grafana
pkg:rpm/almalinux/grafana
Vulnerabilities (71)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-24788 | Med | 5.9 | < 9.2.10-17.el8_10 | 9.2.10-17.el8_10 | May 8, 2024 | A malformed DNS message in response to a query can cause the Lookup functions to get stuck in an infinite loop. | |
| CVE-2024-1313 | Med | 6.5 | < 9.2.10-16.el9_4.alma.1 | 9.2.10-16.el9_4.alma.1 | Mar 26, 2024 | It is possible for a user in a different organization from the owner of a snapshot to bypass authorization and delete a snapshot by issuing a DELETE request to /api/snapshots/ using its view key. This functionality is intended to only be available to individuals with the per | |
| CVE-2024-1394 | Hig | 7.5 | < 9.2.10-8.el9_3.alma.1 | 9.2.10-8.el9_3.alma.1 | Mar 21, 2024 | A memory leak flaw was found in Golang in the RSA encrypting/decrypting code, which might lead to a resource exhaustion vulnerability using attacker-controlled inputs. The memory leak happens in github.com/golang-fips/openssl/openssl/rsa.go#L113. The objects leaked are pkey and | |
| CVE-2023-39325 | — | < 7.5.15-5.el8_8.alma.1 | 7.5.15-5.el8_8.alma.1 | Oct 11, 2023 | A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attack | ||
| CVE-2023-44487 | Hig | 7.5 | KEV | < 7.5.15-5.el8_8.alma.1 | 7.5.15-5.el8_8.alma.1 | Oct 10, 2023 | The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. |
| CVE-2023-3128 | — | < 9.0.9-3.el9_2.alma | 9.0.9-3.el9_2.alma | Jun 22, 2023 | Grafana is validating Azure AD accounts based on the email claim. On Azure AD, the profile email field is not unique and can be easily modified. This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app. | ||
| CVE-2023-24534 | — | < 9.2.10-7.el9_3.alma.1 | 9.2.10-7.el9_3.alma.1 | Apr 6, 2023 | HTTP and MIME header parsing can allocate large amounts of memory, even when parsing small inputs, potentially leading to a denial of service. Certain unusual patterns of input data can cause the common function used to parse HTTP and MIME headers to allocate substantially more m | ||
| CVE-2022-23552 | — | < 9.2.10-7.el9_3.alma.1 | 9.2.10-7.el9_3.alma.1 | Jan 27, 2023 | Grafana is an open-source platform for monitoring and observability. Starting with the 8.1 branch and prior to versions 8.5.16, 9.2.10, and 9.3.4, Grafana had a stored XSS vulnerability affecting the core plugin GeoMap. The stored XSS vulnerability was possible because SVG files | ||
| CVE-2022-39324 | — | < 9.2.10-7.el9_3.alma.1 | 9.2.10-7.el9_3.alma.1 | Jan 27, 2023 | Grafana is an open-source platform for monitoring and observability. Prior to versions 8.5.16 and 9.2.8, malicious user can create a snapshot and arbitrarily choose the `originalUrl` parameter by editing the query, thanks to a web proxy. When another user opens the URL of the sna | ||
| CVE-2022-41717 | — | < 9.2.10-7.el9_3.alma.1 | 9.2.10-7.el9_3.alma.1 | Dec 8, 2022 | An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the s | ||
| CVE-2022-39307 | — | < 9.2.10-7.el9_3.alma.1 | 9.2.10-7.el9_3.alma.1 | Nov 9, 2022 | Grafana is an open-source platform for monitoring and observability. When using the forget password on the login page, a POST request is made to the `/api/user/password/sent-reset-email` URL. When the username or email does not exist, a JSON response contains a “user not found” m | ||
| CVE-2022-39306 | — | < 9.2.10-7.el9_3.alma.1 | 9.2.10-7.el9_3.alma.1 | Nov 9, 2022 | Grafana is an open-source platform for monitoring and observability. Versions prior to 9.2.4, or 8.5.15 on the 8.X branch, are subject to Improper Input Validation. Grafana admins can invite other members to the organization they are an admin for. When admins add members to the o | ||
| CVE-2022-41715 | — | < 9.0.9-2.el9 | 9.0.9-2.el9 | Oct 14, 2022 | Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of service. The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively sm | ||
| CVE-2022-2880 | — | < 9.0.9-2.el9 | 9.0.9-2.el9 | Oct 14, 2022 | Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparsable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparsable value. After fix, ReverseProxy s | ||
| CVE-2022-39229 | — | < 9.0.9-2.el9 | 9.0.9-2.el9 | Oct 13, 2022 | Grafana is an open source data visualization platform for metrics, logs, and traces. Versions prior to 9.1.8 and 8.5.14 allow one user to block another user's login attempt by registering someone else'e email address as a username. A Grafana user’s username and email address are | ||
| CVE-2022-39201 | — | < 9.2.10-7.el9_3.alma.1 | 9.2.10-7.el9_3.alma.1 | Oct 13, 2022 | Grafana is an open source observability and data visualization platform. Starting with version 5.0.0-beta1 and prior to versions 8.5.14 and 9.1.8, Grafana could leak the authentication cookie of users to plugins. The vulnerability impacts data source and plugin proxy endpoints un | ||
| CVE-2022-31130 | — | < 9.2.10-7.el9_3.alma.1 | 9.2.10-7.el9_3.alma.1 | Oct 13, 2022 | Grafana is an open source observability and data visualization platform. Versions of Grafana for endpoints prior to 9.1.8 and 8.5.14 could leak authentication tokens to some destination plugins under some conditions. The vulnerability impacts data source and plugin proxy endpoint | ||
| CVE-2022-31123 | — | < 9.2.10-7.el9_3.alma.1 | 9.2.10-7.el9_3.alma.1 | Oct 13, 2022 | Grafana is an open source observability and data visualization platform. Versions prior to 9.1.8 and 8.5.14 are vulnerable to a bypass in the plugin signature verification. An attacker can convince a server admin to download and successfully run a malicious plugin even though uns | ||
| CVE-2022-35957 | — | < 9.0.9-2.el9 | 9.0.9-2.el9 | Sep 20, 2022 | Grafana is an open-source platform for monitoring and observability. Versions prior to 9.1.6 and 8.5.13 are vulnerable to an escalation from admin to server admin when auth proxy is used, allowing an admin to take over the server admin account and gain full control of the grafana | ||
| CVE-2022-27664 | — | < 9.0.9-2.el9 | 9.0.9-2.el9 | Sep 6, 2022 | In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error. |
- affected < 9.2.10-17.el8_10fixed 9.2.10-17.el8_10
A malformed DNS message in response to a query can cause the Lookup functions to get stuck in an infinite loop.
- affected < 9.2.10-16.el9_4.alma.1fixed 9.2.10-16.el9_4.alma.1
It is possible for a user in a different organization from the owner of a snapshot to bypass authorization and delete a snapshot by issuing a DELETE request to /api/snapshots/ using its view key. This functionality is intended to only be available to individuals with the per
- affected < 9.2.10-8.el9_3.alma.1fixed 9.2.10-8.el9_3.alma.1
A memory leak flaw was found in Golang in the RSA encrypting/decrypting code, which might lead to a resource exhaustion vulnerability using attacker-controlled inputs. The memory leak happens in github.com/golang-fips/openssl/openssl/rsa.go#L113. The objects leaked are pkey and
- CVE-2023-39325Oct 11, 2023affected < 7.5.15-5.el8_8.alma.1fixed 7.5.15-5.el8_8.alma.1
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attack
- affected < 7.5.15-5.el8_8.alma.1fixed 7.5.15-5.el8_8.alma.1
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
- CVE-2023-3128Jun 22, 2023affected < 9.0.9-3.el9_2.almafixed 9.0.9-3.el9_2.alma
Grafana is validating Azure AD accounts based on the email claim. On Azure AD, the profile email field is not unique and can be easily modified. This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app.
- CVE-2023-24534Apr 6, 2023affected < 9.2.10-7.el9_3.alma.1fixed 9.2.10-7.el9_3.alma.1
HTTP and MIME header parsing can allocate large amounts of memory, even when parsing small inputs, potentially leading to a denial of service. Certain unusual patterns of input data can cause the common function used to parse HTTP and MIME headers to allocate substantially more m
- CVE-2022-23552Jan 27, 2023affected < 9.2.10-7.el9_3.alma.1fixed 9.2.10-7.el9_3.alma.1
Grafana is an open-source platform for monitoring and observability. Starting with the 8.1 branch and prior to versions 8.5.16, 9.2.10, and 9.3.4, Grafana had a stored XSS vulnerability affecting the core plugin GeoMap. The stored XSS vulnerability was possible because SVG files
- CVE-2022-39324Jan 27, 2023affected < 9.2.10-7.el9_3.alma.1fixed 9.2.10-7.el9_3.alma.1
Grafana is an open-source platform for monitoring and observability. Prior to versions 8.5.16 and 9.2.8, malicious user can create a snapshot and arbitrarily choose the `originalUrl` parameter by editing the query, thanks to a web proxy. When another user opens the URL of the sna
- CVE-2022-41717Dec 8, 2022affected < 9.2.10-7.el9_3.alma.1fixed 9.2.10-7.el9_3.alma.1
An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the s
- CVE-2022-39307Nov 9, 2022affected < 9.2.10-7.el9_3.alma.1fixed 9.2.10-7.el9_3.alma.1
Grafana is an open-source platform for monitoring and observability. When using the forget password on the login page, a POST request is made to the `/api/user/password/sent-reset-email` URL. When the username or email does not exist, a JSON response contains a “user not found” m
- CVE-2022-39306Nov 9, 2022affected < 9.2.10-7.el9_3.alma.1fixed 9.2.10-7.el9_3.alma.1
Grafana is an open-source platform for monitoring and observability. Versions prior to 9.2.4, or 8.5.15 on the 8.X branch, are subject to Improper Input Validation. Grafana admins can invite other members to the organization they are an admin for. When admins add members to the o
- CVE-2022-41715Oct 14, 2022affected < 9.0.9-2.el9fixed 9.0.9-2.el9
Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of service. The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively sm
- CVE-2022-2880Oct 14, 2022affected < 9.0.9-2.el9fixed 9.0.9-2.el9
Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparsable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparsable value. After fix, ReverseProxy s
- CVE-2022-39229Oct 13, 2022affected < 9.0.9-2.el9fixed 9.0.9-2.el9
Grafana is an open source data visualization platform for metrics, logs, and traces. Versions prior to 9.1.8 and 8.5.14 allow one user to block another user's login attempt by registering someone else'e email address as a username. A Grafana user’s username and email address are
- CVE-2022-39201Oct 13, 2022affected < 9.2.10-7.el9_3.alma.1fixed 9.2.10-7.el9_3.alma.1
Grafana is an open source observability and data visualization platform. Starting with version 5.0.0-beta1 and prior to versions 8.5.14 and 9.1.8, Grafana could leak the authentication cookie of users to plugins. The vulnerability impacts data source and plugin proxy endpoints un
- CVE-2022-31130Oct 13, 2022affected < 9.2.10-7.el9_3.alma.1fixed 9.2.10-7.el9_3.alma.1
Grafana is an open source observability and data visualization platform. Versions of Grafana for endpoints prior to 9.1.8 and 8.5.14 could leak authentication tokens to some destination plugins under some conditions. The vulnerability impacts data source and plugin proxy endpoint
- CVE-2022-31123Oct 13, 2022affected < 9.2.10-7.el9_3.alma.1fixed 9.2.10-7.el9_3.alma.1
Grafana is an open source observability and data visualization platform. Versions prior to 9.1.8 and 8.5.14 are vulnerable to a bypass in the plugin signature verification. An attacker can convince a server admin to download and successfully run a malicious plugin even though uns
- CVE-2022-35957Sep 20, 2022affected < 9.0.9-2.el9fixed 9.0.9-2.el9
Grafana is an open-source platform for monitoring and observability. Versions prior to 9.1.6 and 8.5.13 are vulnerable to an escalation from admin to server admin when auth proxy is used, allowing an admin to take over the server admin account and gain full control of the grafana
- CVE-2022-27664Sep 6, 2022affected < 9.0.9-2.el9fixed 9.0.9-2.el9
In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.
Page 2 of 4