rpm package
suse/grafana&distro=SUSE Enterprise Storage 6
pkg:rpm/suse/grafana&distro=SUSE%20Enterprise%20Storage%206
Vulnerabilities (23)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2022-36062 | — | < 8.5.13-150100.3.12.1 | 8.5.13-150100.3.12.1 | Sep 22, 2022 | Grafana is an open-source platform for monitoring and observability. In versions prior to 8.5.13, 9.0.9, and 9.1.6, Grafana is subject to Improper Preservation of Permissions resulting in privilege escalation on some folders where Admin is the only used permission. The vulnerabil | ||
| CVE-2022-35957 | — | < 8.5.13-150100.3.12.1 | 8.5.13-150100.3.12.1 | Sep 20, 2022 | Grafana is an open-source platform for monitoring and observability. Versions prior to 9.1.6 and 8.5.13 are vulnerable to an escalation from admin to server admin when auth proxy is used, allowing an admin to take over the server admin account and gain full control of the grafana | ||
| CVE-2022-31107 | — | < 8.5.13-150100.3.12.1 | 8.5.13-150100.3.12.1 | Jul 15, 2022 | Grafana is an open-source platform for monitoring and observability. In versions 5.3 until 9.0.3, 8.5.9, 8.4.10, and 8.3.10, it is possible for a malicious user who has authorization to log into a Grafana instance via a configured OAuth IdP which provides a login name to take ove | ||
| CVE-2022-31097 | — | < 8.5.13-150100.3.12.1 | 8.5.13-150100.3.12.1 | Jul 15, 2022 | Grafana is an open-source platform for monitoring and observability. Versions on the 8.x and 9.x branch prior to 9.0.3, 8.5.9, 8.4.10, and 8.3.10 are vulnerable to stored cross-site scripting via the Unified Alerting feature of Grafana. An attacker can exploit this vulnerability | ||
| CVE-2022-21713 | — | < 8.5.13-150100.3.12.1 | 8.5.13-150100.3.12.1 | Feb 8, 2022 | Grafana is an open-source platform for monitoring and observability. Affected versions of Grafana expose multiple API endpoints which do not properly handle user authorization. `/teams/:teamId` will allow an authenticated attacker to view unintended data by querying for the speci | ||
| CVE-2022-21703 | — | < 8.5.13-150100.3.12.1 | 8.5.13-150100.3.12.1 | Feb 8, 2022 | Grafana is an open-source platform for monitoring and observability. Affected versions are subject to a cross site request forgery vulnerability which allows attackers to elevate their privileges by mounting cross-origin attacks against authenticated high-privilege Grafana users | ||
| CVE-2022-21702 | — | < 8.5.13-150100.3.12.1 | 8.5.13-150100.3.12.1 | Feb 8, 2022 | Grafana is an open-source platform for monitoring and observability. In affected versions an attacker could serve HTML content thru the Grafana datasource or plugin proxy and trick a user to visit this HTML page using a specially crafted link and execute a Cross-site Scripting (X | ||
| CVE-2022-21673 | — | < 8.5.13-150100.3.12.1 | 8.5.13-150100.3.12.1 | Jan 18, 2022 | Grafana is an open-source platform for monitoring and observability. In affected versions when a data source has the Forward OAuth Identity feature enabled, sending a query to that datasource with an API token (and no other user credentials) will forward the OAuth Identity of the | ||
| CVE-2021-43815 | — | < 8.5.13-150100.3.12.1 | 8.5.13-150100.3.12.1 | Dec 10, 2021 | Grafana is an open-source platform for monitoring and observability. Grafana prior to versions 8.3.2 and 7.5.12 has a directory traversal for arbitrary .csv files. It only affects instances that have the developer testing tool called TestData DB data source enabled and configured | ||
| CVE-2021-43813 | — | < 7.5.12-150100.3.9.1 | 7.5.12-150100.3.9.1 | Dec 10, 2021 | Grafana is an open-source platform for monitoring and observability. Grafana prior to versions 8.3.2 and 7.5.12 contains a directory traversal vulnerability for fully lowercase or fully uppercase .md files. The vulnerability is limited in scope, and only allows access to files wi | ||
| CVE-2021-43798 | — | KEV | < 8.5.13-150100.3.12.1 | 8.5.13-150100.3.12.1 | Dec 7, 2021 | Grafana is an open-source platform for monitoring and observability. Grafana versions 8.0.0-beta1 through 8.3.0 (except for patched versions) iss vulnerable to directory traversal, allowing access to local files. The vulnerable URL path is: `<grafana_host_url>/public/plugins//`, | |
| CVE-2021-41244 | — | < 8.5.13-150100.3.12.1 | 8.5.13-150100.3.12.1 | Nov 15, 2021 | Grafana is an open-source platform for monitoring and observability. In affected versions when the fine-grained access control beta feature is enabled and there is more than one organization in the Grafana instance admins are able to access users from other organizations. Grafana | ||
| CVE-2021-41174 | — | < 8.5.13-150100.3.12.1 | 8.5.13-150100.3.12.1 | Nov 3, 2021 | Grafana is an open-source platform for monitoring and observability. In affected versions if an attacker is able to convince a victim to visit a URL referencing a vulnerable page, arbitrary JavaScript content may be executed within the context of the victim's browser. The user vi | ||
| CVE-2021-39226 | — | KEV | < 7.5.12-150100.3.9.1 | 7.5.12-150100.3.9.1 | Oct 5, 2021 | Grafana is an open source data visualization platform. In affected versions unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths: /dashboard/snapshot/:key, or /api/snapshots/:key. If the snapshot "public | |
| CVE-2021-3711 | — | < 8.5.13-150100.3.12.1 | 8.5.13-150100.3.12.1 | Aug 24, 2021 | In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the "out" parameter can be NULL and, on exit, the "outlen" parameter is populated with | ||
| CVE-2021-36222 | — | < 8.5.13-150100.3.12.1 | 8.5.13-150100.3.12.1 | Jul 22, 2021 | ec_verify in kdc/kdc_preauth_ec.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.18.4 and 1.19.x before 1.19.2 allows remote attackers to cause a NULL pointer dereference and daemon crash. This occurs because a return value is not properly managed in a | ||
| CVE-2020-24303 | — | < 7.3.1-3.6.1 | 7.3.1-3.6.1 | Oct 28, 2020 | Grafana before 7.1.0-beta 1 allows XSS via a query alias for the ElasticSearch datasource. | ||
| CVE-2019-19499 | — | < 7.3.1-3.6.1 | 7.3.1-3.6.1 | Aug 28, 2020 | Grafana <= 6.4.3 has an Arbitrary File Read vulnerability, which could be exploited by an authenticated attacker that has privileges to modify the data source configurations. | ||
| CVE-2020-13379 | — | < 7.3.1-3.6.1 | 7.3.1-3.6.1 | Jun 3, 2020 | The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information abo | ||
| CVE-2018-18623 | — | < 7.3.1-3.6.1 | 7.3.1-3.6.1 | Jun 2, 2020 | Grafana 5.3.1 has XSS via the "Dashboard > Text Panel" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099. |
- CVE-2022-36062Sep 22, 2022affected < 8.5.13-150100.3.12.1fixed 8.5.13-150100.3.12.1
Grafana is an open-source platform for monitoring and observability. In versions prior to 8.5.13, 9.0.9, and 9.1.6, Grafana is subject to Improper Preservation of Permissions resulting in privilege escalation on some folders where Admin is the only used permission. The vulnerabil
- CVE-2022-35957Sep 20, 2022affected < 8.5.13-150100.3.12.1fixed 8.5.13-150100.3.12.1
Grafana is an open-source platform for monitoring and observability. Versions prior to 9.1.6 and 8.5.13 are vulnerable to an escalation from admin to server admin when auth proxy is used, allowing an admin to take over the server admin account and gain full control of the grafana
- CVE-2022-31107Jul 15, 2022affected < 8.5.13-150100.3.12.1fixed 8.5.13-150100.3.12.1
Grafana is an open-source platform for monitoring and observability. In versions 5.3 until 9.0.3, 8.5.9, 8.4.10, and 8.3.10, it is possible for a malicious user who has authorization to log into a Grafana instance via a configured OAuth IdP which provides a login name to take ove
- CVE-2022-31097Jul 15, 2022affected < 8.5.13-150100.3.12.1fixed 8.5.13-150100.3.12.1
Grafana is an open-source platform for monitoring and observability. Versions on the 8.x and 9.x branch prior to 9.0.3, 8.5.9, 8.4.10, and 8.3.10 are vulnerable to stored cross-site scripting via the Unified Alerting feature of Grafana. An attacker can exploit this vulnerability
- CVE-2022-21713Feb 8, 2022affected < 8.5.13-150100.3.12.1fixed 8.5.13-150100.3.12.1
Grafana is an open-source platform for monitoring and observability. Affected versions of Grafana expose multiple API endpoints which do not properly handle user authorization. `/teams/:teamId` will allow an authenticated attacker to view unintended data by querying for the speci
- CVE-2022-21703Feb 8, 2022affected < 8.5.13-150100.3.12.1fixed 8.5.13-150100.3.12.1
Grafana is an open-source platform for monitoring and observability. Affected versions are subject to a cross site request forgery vulnerability which allows attackers to elevate their privileges by mounting cross-origin attacks against authenticated high-privilege Grafana users
- CVE-2022-21702Feb 8, 2022affected < 8.5.13-150100.3.12.1fixed 8.5.13-150100.3.12.1
Grafana is an open-source platform for monitoring and observability. In affected versions an attacker could serve HTML content thru the Grafana datasource or plugin proxy and trick a user to visit this HTML page using a specially crafted link and execute a Cross-site Scripting (X
- CVE-2022-21673Jan 18, 2022affected < 8.5.13-150100.3.12.1fixed 8.5.13-150100.3.12.1
Grafana is an open-source platform for monitoring and observability. In affected versions when a data source has the Forward OAuth Identity feature enabled, sending a query to that datasource with an API token (and no other user credentials) will forward the OAuth Identity of the
- CVE-2021-43815Dec 10, 2021affected < 8.5.13-150100.3.12.1fixed 8.5.13-150100.3.12.1
Grafana is an open-source platform for monitoring and observability. Grafana prior to versions 8.3.2 and 7.5.12 has a directory traversal for arbitrary .csv files. It only affects instances that have the developer testing tool called TestData DB data source enabled and configured
- CVE-2021-43813Dec 10, 2021affected < 7.5.12-150100.3.9.1fixed 7.5.12-150100.3.9.1
Grafana is an open-source platform for monitoring and observability. Grafana prior to versions 8.3.2 and 7.5.12 contains a directory traversal vulnerability for fully lowercase or fully uppercase .md files. The vulnerability is limited in scope, and only allows access to files wi
- affected < 8.5.13-150100.3.12.1fixed 8.5.13-150100.3.12.1
Grafana is an open-source platform for monitoring and observability. Grafana versions 8.0.0-beta1 through 8.3.0 (except for patched versions) iss vulnerable to directory traversal, allowing access to local files. The vulnerable URL path is: `<grafana_host_url>/public/plugins//`,
- CVE-2021-41244Nov 15, 2021affected < 8.5.13-150100.3.12.1fixed 8.5.13-150100.3.12.1
Grafana is an open-source platform for monitoring and observability. In affected versions when the fine-grained access control beta feature is enabled and there is more than one organization in the Grafana instance admins are able to access users from other organizations. Grafana
- CVE-2021-41174Nov 3, 2021affected < 8.5.13-150100.3.12.1fixed 8.5.13-150100.3.12.1
Grafana is an open-source platform for monitoring and observability. In affected versions if an attacker is able to convince a victim to visit a URL referencing a vulnerable page, arbitrary JavaScript content may be executed within the context of the victim's browser. The user vi
- affected < 7.5.12-150100.3.9.1fixed 7.5.12-150100.3.9.1
Grafana is an open source data visualization platform. In affected versions unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths: /dashboard/snapshot/:key, or /api/snapshots/:key. If the snapshot "public
- CVE-2021-3711Aug 24, 2021affected < 8.5.13-150100.3.12.1fixed 8.5.13-150100.3.12.1
In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the "out" parameter can be NULL and, on exit, the "outlen" parameter is populated with
- CVE-2021-36222Jul 22, 2021affected < 8.5.13-150100.3.12.1fixed 8.5.13-150100.3.12.1
ec_verify in kdc/kdc_preauth_ec.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.18.4 and 1.19.x before 1.19.2 allows remote attackers to cause a NULL pointer dereference and daemon crash. This occurs because a return value is not properly managed in a
- CVE-2020-24303Oct 28, 2020affected < 7.3.1-3.6.1fixed 7.3.1-3.6.1
Grafana before 7.1.0-beta 1 allows XSS via a query alias for the ElasticSearch datasource.
- CVE-2019-19499Aug 28, 2020affected < 7.3.1-3.6.1fixed 7.3.1-3.6.1
Grafana <= 6.4.3 has an Arbitrary File Read vulnerability, which could be exploited by an authenticated attacker that has privileges to modify the data source configurations.
- CVE-2020-13379Jun 3, 2020affected < 7.3.1-3.6.1fixed 7.3.1-3.6.1
The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information abo
- CVE-2018-18623Jun 2, 2020affected < 7.3.1-3.6.1fixed 7.3.1-3.6.1
Grafana 5.3.1 has XSS via the "Dashboard > Text Panel" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099.
Page 1 of 2