rpm package
opensuse/grafana&distro=openSUSE Leap 15.5
pkg:rpm/opensuse/grafana&distro=openSUSE%20Leap%2015.5
Vulnerabilities (19)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-1313 | Med | 6.5 | < 9.5.18-150200.3.56.1 | 9.5.18-150200.3.56.1 | Mar 26, 2024 | It is possible for a user in a different organization from the owner of a snapshot to bypass authorization and delete a snapshot by issuing a DELETE request to /api/snapshots/ using its view key. This functionality is intended to only be available to individuals with the per | |
| CVE-2023-6152 | — | < 9.5.18-150200.3.56.1 | 9.5.18-150200.3.56.1 | Feb 13, 2024 | A user changing their email after signing up and verifying it can change it without verification in profile settings. The configuration option "verify_email_enabled" will only validate email only on sign up. | ||
| CVE-2023-29409 | — | < 9.5.5-150200.3.47.1 | 9.5.5-150200.3.47.1 | Aug 2, 2023 | Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures. With fix, the size of RSA keys transmitted during handshakes is restricted to <= 8192 bits. Based on a survey of publicly trusted RSA keys, there are curr | ||
| CVE-2023-3128 | — | < 9.5.5-150200.3.44.1 | 9.5.5-150200.3.44.1 | Jun 22, 2023 | Grafana is validating Azure AD accounts based on the email claim. On Azure AD, the profile email field is not unique and can be easily modified. This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app. | ||
| CVE-2023-2183 | — | < 9.5.5-150200.3.44.1 | 9.5.5-150200.3.44.1 | Jun 6, 2023 | Grafana is an open-source platform for monitoring and observability. The option to send a test alert is not available from the user panel UI for users having the Viewer role. It is still possible for a user with the Viewer role to send a test alert using the API as the API does | ||
| CVE-2023-2801 | — | < 9.5.5-150200.3.44.1 | 9.5.5-150200.3.44.1 | Jun 6, 2023 | Grafana is an open-source platform for monitoring and observability. Using public dashboards users can query multiple distinct data sources using mixed queries. However such query has a possibility of crashing a Grafana instance. The only feature that uses mixed queries at the | ||
| CVE-2023-1387 | — | < 9.5.1-150200.3.41.3 | 9.5.1-150200.3.41.3 | Apr 26, 2023 | Grafana is an open-source platform for monitoring and observability. Starting with the 9.1 branch, Grafana introduced the ability to search for a JWT in the URL query parameter auth_token and use it as the authentication token. By enabling the "url_login" configuration option | ||
| CVE-2023-1410 | — | < 9.5.1-150200.3.41.3 | 9.5.1-150200.3.41.3 | Mar 23, 2023 | Grafana is an open-source platform for monitoring and observability. Grafana had a stored XSS vulnerability in the Graphite FunctionDescription tooltip. The stored XSS vulnerability was possible due the value of the Function Description was not properly sanitized. An attacke | ||
| CVE-2022-32149 | — | < 9.5.1-150200.3.41.3 | 9.5.1-150200.3.41.3 | Oct 14, 2022 | An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse. | ||
| CVE-2022-36062 | — | < 9.5.1-150200.3.41.3 | 9.5.1-150200.3.41.3 | Sep 22, 2022 | Grafana is an open-source platform for monitoring and observability. In versions prior to 8.5.13, 9.0.9, and 9.1.6, Grafana is subject to Improper Preservation of Permissions resulting in privilege escalation on some folders where Admin is the only used permission. The vulnerabil | ||
| CVE-2022-35957 | — | < 9.5.1-150200.3.41.3 | 9.5.1-150200.3.41.3 | Sep 20, 2022 | Grafana is an open-source platform for monitoring and observability. Versions prior to 9.1.6 and 8.5.13 are vulnerable to an escalation from admin to server admin when auth proxy is used, allowing an admin to take over the server admin account and gain full control of the grafana | ||
| CVE-2022-27664 | — | < 9.5.1-150200.3.41.3 | 9.5.1-150200.3.41.3 | Sep 6, 2022 | In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error. | ||
| CVE-2022-31107 | — | < 9.5.1-150200.3.41.3 | 9.5.1-150200.3.41.3 | Jul 15, 2022 | Grafana is an open-source platform for monitoring and observability. In versions 5.3 until 9.0.3, 8.5.9, 8.4.10, and 8.3.10, it is possible for a malicious user who has authorization to log into a Grafana instance via a configured OAuth IdP which provides a login name to take ove | ||
| CVE-2022-31097 | — | < 9.5.1-150200.3.41.3 | 9.5.1-150200.3.41.3 | Jul 15, 2022 | Grafana is an open-source platform for monitoring and observability. Versions on the 8.x and 9.x branch prior to 9.0.3, 8.5.9, 8.4.10, and 8.3.10 are vulnerable to stored cross-site scripting via the Unified Alerting feature of Grafana. An attacker can exploit this vulnerability | ||
| CVE-2021-43138 | — | < 9.5.8-150200.3.53.2 | 9.5.8-150200.3.53.2 | Apr 6, 2022 | In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution. | ||
| CVE-2022-0155 | — | < 9.5.8-150200.3.53.2 | 9.5.8-150200.3.53.2 | Jan 10, 2022 | follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor | ||
| CVE-2021-3918 | — | < 9.5.8-150200.3.53.2 | 9.5.8-150200.3.53.2 | Nov 13, 2021 | json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') | ||
| CVE-2021-3807 | — | < 9.5.8-150200.3.53.2 | 9.5.8-150200.3.53.2 | Sep 17, 2021 | ansi-regex is vulnerable to Inefficient Regular Expression Complexity | ||
| CVE-2020-7753 | — | < 9.5.8-150200.3.53.2 | 9.5.8-150200.3.53.2 | Oct 27, 2020 | All versions of package trim are vulnerable to Regular Expression Denial of Service (ReDoS) via trim(). |
- affected < 9.5.18-150200.3.56.1fixed 9.5.18-150200.3.56.1
It is possible for a user in a different organization from the owner of a snapshot to bypass authorization and delete a snapshot by issuing a DELETE request to /api/snapshots/ using its view key. This functionality is intended to only be available to individuals with the per
- CVE-2023-6152Feb 13, 2024affected < 9.5.18-150200.3.56.1fixed 9.5.18-150200.3.56.1
A user changing their email after signing up and verifying it can change it without verification in profile settings. The configuration option "verify_email_enabled" will only validate email only on sign up.
- CVE-2023-29409Aug 2, 2023affected < 9.5.5-150200.3.47.1fixed 9.5.5-150200.3.47.1
Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures. With fix, the size of RSA keys transmitted during handshakes is restricted to <= 8192 bits. Based on a survey of publicly trusted RSA keys, there are curr
- CVE-2023-3128Jun 22, 2023affected < 9.5.5-150200.3.44.1fixed 9.5.5-150200.3.44.1
Grafana is validating Azure AD accounts based on the email claim. On Azure AD, the profile email field is not unique and can be easily modified. This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app.
- CVE-2023-2183Jun 6, 2023affected < 9.5.5-150200.3.44.1fixed 9.5.5-150200.3.44.1
Grafana is an open-source platform for monitoring and observability. The option to send a test alert is not available from the user panel UI for users having the Viewer role. It is still possible for a user with the Viewer role to send a test alert using the API as the API does
- CVE-2023-2801Jun 6, 2023affected < 9.5.5-150200.3.44.1fixed 9.5.5-150200.3.44.1
Grafana is an open-source platform for monitoring and observability. Using public dashboards users can query multiple distinct data sources using mixed queries. However such query has a possibility of crashing a Grafana instance. The only feature that uses mixed queries at the
- CVE-2023-1387Apr 26, 2023affected < 9.5.1-150200.3.41.3fixed 9.5.1-150200.3.41.3
Grafana is an open-source platform for monitoring and observability. Starting with the 9.1 branch, Grafana introduced the ability to search for a JWT in the URL query parameter auth_token and use it as the authentication token. By enabling the "url_login" configuration option
- CVE-2023-1410Mar 23, 2023affected < 9.5.1-150200.3.41.3fixed 9.5.1-150200.3.41.3
Grafana is an open-source platform for monitoring and observability. Grafana had a stored XSS vulnerability in the Graphite FunctionDescription tooltip. The stored XSS vulnerability was possible due the value of the Function Description was not properly sanitized. An attacke
- CVE-2022-32149Oct 14, 2022affected < 9.5.1-150200.3.41.3fixed 9.5.1-150200.3.41.3
An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.
- CVE-2022-36062Sep 22, 2022affected < 9.5.1-150200.3.41.3fixed 9.5.1-150200.3.41.3
Grafana is an open-source platform for monitoring and observability. In versions prior to 8.5.13, 9.0.9, and 9.1.6, Grafana is subject to Improper Preservation of Permissions resulting in privilege escalation on some folders where Admin is the only used permission. The vulnerabil
- CVE-2022-35957Sep 20, 2022affected < 9.5.1-150200.3.41.3fixed 9.5.1-150200.3.41.3
Grafana is an open-source platform for monitoring and observability. Versions prior to 9.1.6 and 8.5.13 are vulnerable to an escalation from admin to server admin when auth proxy is used, allowing an admin to take over the server admin account and gain full control of the grafana
- CVE-2022-27664Sep 6, 2022affected < 9.5.1-150200.3.41.3fixed 9.5.1-150200.3.41.3
In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.
- CVE-2022-31107Jul 15, 2022affected < 9.5.1-150200.3.41.3fixed 9.5.1-150200.3.41.3
Grafana is an open-source platform for monitoring and observability. In versions 5.3 until 9.0.3, 8.5.9, 8.4.10, and 8.3.10, it is possible for a malicious user who has authorization to log into a Grafana instance via a configured OAuth IdP which provides a login name to take ove
- CVE-2022-31097Jul 15, 2022affected < 9.5.1-150200.3.41.3fixed 9.5.1-150200.3.41.3
Grafana is an open-source platform for monitoring and observability. Versions on the 8.x and 9.x branch prior to 9.0.3, 8.5.9, 8.4.10, and 8.3.10 are vulnerable to stored cross-site scripting via the Unified Alerting feature of Grafana. An attacker can exploit this vulnerability
- CVE-2021-43138Apr 6, 2022affected < 9.5.8-150200.3.53.2fixed 9.5.8-150200.3.53.2
In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.
- CVE-2022-0155Jan 10, 2022affected < 9.5.8-150200.3.53.2fixed 9.5.8-150200.3.53.2
follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor
- CVE-2021-3918Nov 13, 2021affected < 9.5.8-150200.3.53.2fixed 9.5.8-150200.3.53.2
json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
- CVE-2021-3807Sep 17, 2021affected < 9.5.8-150200.3.53.2fixed 9.5.8-150200.3.53.2
ansi-regex is vulnerable to Inefficient Regular Expression Complexity
- CVE-2020-7753Oct 27, 2020affected < 9.5.8-150200.3.53.2fixed 9.5.8-150200.3.53.2
All versions of package trim are vulnerable to Regular Expression Denial of Service (ReDoS) via trim().