VYPR

rpm package

almalinux/grafana

pkg:rpm/almalinux/grafana

Vulnerabilities (73)

  • CVE-2022-35957MedSep 20, 2022
    affected < 9.0.9-2.el9fixed 9.0.9-2.el9

    Grafana is an open-source platform for monitoring and observability. Versions prior to 9.1.6 and 8.5.13 are vulnerable to an escalation from admin to server admin when auth proxy is used, allowing an admin to take over the server admin account and gain full control of the grafana

  • CVE-2022-27664HigSep 6, 2022
    affected < 9.0.9-2.el9fixed 9.0.9-2.el9

    In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.

  • CVE-2022-32148MedAug 10, 2022
    affected < 7.5.15-3.el8fixed 7.5.15-3.el8

    Improper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggered by calling httputil.ReverseProxy.ServeHTTP with a Request.Header map containing a nil value for the X-Forwarded-For header, which causes ReverseProxy to set the client IP as the

  • CVE-2022-30635HigAug 10, 2022
    affected < 7.5.15-3.el8fixed 7.5.15-3.el8

    Uncontrolled recursion in Decoder.Decode in encoding/gob before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a message which contains deeply nested structures.

  • CVE-2022-30633HigAug 10, 2022
    affected < 7.5.15-3.el8fixed 7.5.15-3.el8

    Uncontrolled recursion in Unmarshal in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via unmarshalling an XML document into a Go struct which has a nested field that uses the 'any' field tag.

  • CVE-2022-30632HigAug 10, 2022
    affected < 7.5.15-3.el8fixed 7.5.15-3.el8

    Uncontrolled recursion in Glob in path/filepath before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path containing a large number of path separators.

  • CVE-2022-30631HigAug 10, 2022
    affected < 7.5.15-3.el8fixed 7.5.15-3.el8

    Uncontrolled recursion in Reader.Read in compress/gzip before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via an archive containing a large number of concatenated 0-length compressed files.

  • CVE-2022-30630HigAug 10, 2022
    affected < 7.5.15-3.el8fixed 7.5.15-3.el8

    Uncontrolled recursion in Glob in io/fs before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path which contains a large number of path separators.

  • CVE-2022-28131HigAug 10, 2022
    affected < 7.5.15-3.el8fixed 7.5.15-3.el8

    Uncontrolled recursion in Decoder.Skip in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a deeply nested XML document.

  • CVE-2022-1962MedAug 10, 2022
    affected < 7.5.15-3.el8fixed 7.5.15-3.el8

    Uncontrolled recursion in the Parse functions in go/parser before Go 1.17.12 and Go 1.18.4 allow an attacker to cause a panic due to stack exhaustion via deeply nested types or declarations.

  • CVE-2022-1705MedAug 10, 2022
    affected < 7.5.15-3.el8fixed 7.5.15-3.el8

    Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12 and Go 1.18.4 allows HTTP request smuggling if combined with an intermediate server that also improperly fails to reject the header as invalid.

  • CVE-2022-31107HigJul 15, 2022
    affected < 7.5.11-5.el9_0fixed 7.5.11-5.el9_0

    Grafana is an open-source platform for monitoring and observability. In versions 5.3 until 9.0.3, 8.5.9, 8.4.10, and 8.3.10, it is possible for a malicious user who has authorization to log into a Grafana instance via a configured OAuth IdP which provides a login name to take ove

  • CVE-2021-23648MedMar 16, 2022
    affected < 7.5.15-3.el8fixed 7.5.15-3.el8

    The package @braintree/sanitize-url before 6.0.0 are vulnerable to Cross-site Scripting (XSS) due to improper sanitization in sanitizeUrl function.

  • CVE-2022-21698HigFeb 15, 2022
    affected < 7.5.15-3.el8fixed 7.5.15-3.el8

    client_golang is the instrumentation library for Go applications in Prometheus, and the promhttp package in client_golang provides tooling around HTTP servers and clients. In client_golang prior to version 1.11.1, HTTP server is susceptible to a Denial of Service through unbounde

  • CVE-2022-21713MedFeb 8, 2022
    affected < 7.5.15-3.el8fixed 7.5.15-3.el8

    Grafana is an open-source platform for monitoring and observability. Affected versions of Grafana expose multiple API endpoints which do not properly handle user authorization. `/teams/:teamId` will allow an authenticated attacker to view unintended data by querying for the speci

  • CVE-2022-21703MedFeb 8, 2022
    affected < 7.5.15-3.el8fixed 7.5.15-3.el8

    Grafana is an open-source platform for monitoring and observability. Affected versions are subject to a cross site request forgery vulnerability which allows attackers to elevate their privileges by mounting cross-origin attacks against authenticated high-privilege Grafana users

  • CVE-2022-21702MedFeb 8, 2022
    affected < 7.5.15-3.el8fixed 7.5.15-3.el8

    Grafana is an open-source platform for monitoring and observability. In affected versions an attacker could serve HTML content thru the Grafana datasource or plugin proxy and trick a user to visit this HTML page using a specially crafted link and execute a Cross-site Scripting (X

  • CVE-2022-21673MedJan 18, 2022
    affected < 7.5.15-3.el8fixed 7.5.15-3.el8

    Grafana is an open-source platform for monitoring and observability. In affected versions when a data source has the Forward OAuth Identity feature enabled, sending a query to that datasource with an API token (and no other user credentials) will forward the OAuth Identity of the

  • CVE-2021-44716HigJan 1, 2022
    affected < 7.5.9-5.el8_5fixed 7.5.9-5.el8_5

    net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests.

  • CVE-2021-43813MedDec 10, 2021
    affected < 7.5.11-2.el8fixed 7.5.11-2.el8

    Grafana is an open-source platform for monitoring and observability. Grafana prior to versions 8.3.2 and 7.5.12 contains a directory traversal vulnerability for fully lowercase or fully uppercase .md files. The vulnerability is limited in scope, and only allows access to files wi