rpm package
almalinux/grafana
pkg:rpm/almalinux/grafana
Vulnerabilities (73)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2022-35957 | Med | 6.6 | < 9.0.9-2.el9 | 9.0.9-2.el9 | Sep 20, 2022 | Grafana is an open-source platform for monitoring and observability. Versions prior to 9.1.6 and 8.5.13 are vulnerable to an escalation from admin to server admin when auth proxy is used, allowing an admin to take over the server admin account and gain full control of the grafana | |
| CVE-2022-27664 | Hig | 7.5 | < 9.0.9-2.el9 | 9.0.9-2.el9 | Sep 6, 2022 | In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error. | |
| CVE-2022-32148 | Med | 6.5 | < 7.5.15-3.el8 | 7.5.15-3.el8 | Aug 10, 2022 | Improper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggered by calling httputil.ReverseProxy.ServeHTTP with a Request.Header map containing a nil value for the X-Forwarded-For header, which causes ReverseProxy to set the client IP as the | |
| CVE-2022-30635 | Hig | 7.5 | < 7.5.15-3.el8 | 7.5.15-3.el8 | Aug 10, 2022 | Uncontrolled recursion in Decoder.Decode in encoding/gob before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a message which contains deeply nested structures. | |
| CVE-2022-30633 | Hig | 7.5 | < 7.5.15-3.el8 | 7.5.15-3.el8 | Aug 10, 2022 | Uncontrolled recursion in Unmarshal in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via unmarshalling an XML document into a Go struct which has a nested field that uses the 'any' field tag. | |
| CVE-2022-30632 | Hig | 7.5 | < 7.5.15-3.el8 | 7.5.15-3.el8 | Aug 10, 2022 | Uncontrolled recursion in Glob in path/filepath before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path containing a large number of path separators. | |
| CVE-2022-30631 | Hig | 7.5 | < 7.5.15-3.el8 | 7.5.15-3.el8 | Aug 10, 2022 | Uncontrolled recursion in Reader.Read in compress/gzip before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via an archive containing a large number of concatenated 0-length compressed files. | |
| CVE-2022-30630 | Hig | 7.5 | < 7.5.15-3.el8 | 7.5.15-3.el8 | Aug 10, 2022 | Uncontrolled recursion in Glob in io/fs before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path which contains a large number of path separators. | |
| CVE-2022-28131 | Hig | 7.5 | < 7.5.15-3.el8 | 7.5.15-3.el8 | Aug 10, 2022 | Uncontrolled recursion in Decoder.Skip in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a deeply nested XML document. | |
| CVE-2022-1962 | Med | 5.5 | < 7.5.15-3.el8 | 7.5.15-3.el8 | Aug 10, 2022 | Uncontrolled recursion in the Parse functions in go/parser before Go 1.17.12 and Go 1.18.4 allow an attacker to cause a panic due to stack exhaustion via deeply nested types or declarations. | |
| CVE-2022-1705 | Med | 6.5 | < 7.5.15-3.el8 | 7.5.15-3.el8 | Aug 10, 2022 | Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12 and Go 1.18.4 allows HTTP request smuggling if combined with an intermediate server that also improperly fails to reject the header as invalid. | |
| CVE-2022-31107 | Hig | 7.1 | < 7.5.11-5.el9_0 | 7.5.11-5.el9_0 | Jul 15, 2022 | Grafana is an open-source platform for monitoring and observability. In versions 5.3 until 9.0.3, 8.5.9, 8.4.10, and 8.3.10, it is possible for a malicious user who has authorization to log into a Grafana instance via a configured OAuth IdP which provides a login name to take ove | |
| CVE-2021-23648 | Med | 5.4 | < 7.5.15-3.el8 | 7.5.15-3.el8 | Mar 16, 2022 | The package @braintree/sanitize-url before 6.0.0 are vulnerable to Cross-site Scripting (XSS) due to improper sanitization in sanitizeUrl function. | |
| CVE-2022-21698 | Hig | 7.5 | < 7.5.15-3.el8 | 7.5.15-3.el8 | Feb 15, 2022 | client_golang is the instrumentation library for Go applications in Prometheus, and the promhttp package in client_golang provides tooling around HTTP servers and clients. In client_golang prior to version 1.11.1, HTTP server is susceptible to a Denial of Service through unbounde | |
| CVE-2022-21713 | Med | 4.3 | < 7.5.15-3.el8 | 7.5.15-3.el8 | Feb 8, 2022 | Grafana is an open-source platform for monitoring and observability. Affected versions of Grafana expose multiple API endpoints which do not properly handle user authorization. `/teams/:teamId` will allow an authenticated attacker to view unintended data by querying for the speci | |
| CVE-2022-21703 | Med | 6.3 | < 7.5.15-3.el8 | 7.5.15-3.el8 | Feb 8, 2022 | Grafana is an open-source platform for monitoring and observability. Affected versions are subject to a cross site request forgery vulnerability which allows attackers to elevate their privileges by mounting cross-origin attacks against authenticated high-privilege Grafana users | |
| CVE-2022-21702 | Med | 6.5 | < 7.5.15-3.el8 | 7.5.15-3.el8 | Feb 8, 2022 | Grafana is an open-source platform for monitoring and observability. In affected versions an attacker could serve HTML content thru the Grafana datasource or plugin proxy and trick a user to visit this HTML page using a specially crafted link and execute a Cross-site Scripting (X | |
| CVE-2022-21673 | Med | 4.3 | < 7.5.15-3.el8 | 7.5.15-3.el8 | Jan 18, 2022 | Grafana is an open-source platform for monitoring and observability. In affected versions when a data source has the Forward OAuth Identity feature enabled, sending a query to that datasource with an API token (and no other user credentials) will forward the OAuth Identity of the | |
| CVE-2021-44716 | Hig | 7.5 | < 7.5.9-5.el8_5 | 7.5.9-5.el8_5 | Jan 1, 2022 | net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests. | |
| CVE-2021-43813 | Med | 4.3 | < 7.5.11-2.el8 | 7.5.11-2.el8 | Dec 10, 2021 | Grafana is an open-source platform for monitoring and observability. Grafana prior to versions 8.3.2 and 7.5.12 contains a directory traversal vulnerability for fully lowercase or fully uppercase .md files. The vulnerability is limited in scope, and only allows access to files wi |
- affected < 9.0.9-2.el9fixed 9.0.9-2.el9
Grafana is an open-source platform for monitoring and observability. Versions prior to 9.1.6 and 8.5.13 are vulnerable to an escalation from admin to server admin when auth proxy is used, allowing an admin to take over the server admin account and gain full control of the grafana
- affected < 9.0.9-2.el9fixed 9.0.9-2.el9
In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.
- affected < 7.5.15-3.el8fixed 7.5.15-3.el8
Improper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggered by calling httputil.ReverseProxy.ServeHTTP with a Request.Header map containing a nil value for the X-Forwarded-For header, which causes ReverseProxy to set the client IP as the
- affected < 7.5.15-3.el8fixed 7.5.15-3.el8
Uncontrolled recursion in Decoder.Decode in encoding/gob before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a message which contains deeply nested structures.
- affected < 7.5.15-3.el8fixed 7.5.15-3.el8
Uncontrolled recursion in Unmarshal in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via unmarshalling an XML document into a Go struct which has a nested field that uses the 'any' field tag.
- affected < 7.5.15-3.el8fixed 7.5.15-3.el8
Uncontrolled recursion in Glob in path/filepath before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path containing a large number of path separators.
- affected < 7.5.15-3.el8fixed 7.5.15-3.el8
Uncontrolled recursion in Reader.Read in compress/gzip before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via an archive containing a large number of concatenated 0-length compressed files.
- affected < 7.5.15-3.el8fixed 7.5.15-3.el8
Uncontrolled recursion in Glob in io/fs before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path which contains a large number of path separators.
- affected < 7.5.15-3.el8fixed 7.5.15-3.el8
Uncontrolled recursion in Decoder.Skip in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a deeply nested XML document.
- affected < 7.5.15-3.el8fixed 7.5.15-3.el8
Uncontrolled recursion in the Parse functions in go/parser before Go 1.17.12 and Go 1.18.4 allow an attacker to cause a panic due to stack exhaustion via deeply nested types or declarations.
- affected < 7.5.15-3.el8fixed 7.5.15-3.el8
Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12 and Go 1.18.4 allows HTTP request smuggling if combined with an intermediate server that also improperly fails to reject the header as invalid.
- affected < 7.5.11-5.el9_0fixed 7.5.11-5.el9_0
Grafana is an open-source platform for monitoring and observability. In versions 5.3 until 9.0.3, 8.5.9, 8.4.10, and 8.3.10, it is possible for a malicious user who has authorization to log into a Grafana instance via a configured OAuth IdP which provides a login name to take ove
- affected < 7.5.15-3.el8fixed 7.5.15-3.el8
The package @braintree/sanitize-url before 6.0.0 are vulnerable to Cross-site Scripting (XSS) due to improper sanitization in sanitizeUrl function.
- affected < 7.5.15-3.el8fixed 7.5.15-3.el8
client_golang is the instrumentation library for Go applications in Prometheus, and the promhttp package in client_golang provides tooling around HTTP servers and clients. In client_golang prior to version 1.11.1, HTTP server is susceptible to a Denial of Service through unbounde
- affected < 7.5.15-3.el8fixed 7.5.15-3.el8
Grafana is an open-source platform for monitoring and observability. Affected versions of Grafana expose multiple API endpoints which do not properly handle user authorization. `/teams/:teamId` will allow an authenticated attacker to view unintended data by querying for the speci
- affected < 7.5.15-3.el8fixed 7.5.15-3.el8
Grafana is an open-source platform for monitoring and observability. Affected versions are subject to a cross site request forgery vulnerability which allows attackers to elevate their privileges by mounting cross-origin attacks against authenticated high-privilege Grafana users
- affected < 7.5.15-3.el8fixed 7.5.15-3.el8
Grafana is an open-source platform for monitoring and observability. In affected versions an attacker could serve HTML content thru the Grafana datasource or plugin proxy and trick a user to visit this HTML page using a specially crafted link and execute a Cross-site Scripting (X
- affected < 7.5.15-3.el8fixed 7.5.15-3.el8
Grafana is an open-source platform for monitoring and observability. In affected versions when a data source has the Forward OAuth Identity feature enabled, sending a query to that datasource with an API token (and no other user credentials) will forward the OAuth Identity of the
- affected < 7.5.9-5.el8_5fixed 7.5.9-5.el8_5
net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests.
- affected < 7.5.11-2.el8fixed 7.5.11-2.el8
Grafana is an open-source platform for monitoring and observability. Grafana prior to versions 8.3.2 and 7.5.12 contains a directory traversal vulnerability for fully lowercase or fully uppercase .md files. The vulnerability is limited in scope, and only allows access to files wi
Page 3 of 4