VYPR

Vendor CVEs

Grafana

All CVEs

122 total · sorted by risk
  • CVE-2022-39229Oct 13, 2022
    risk 0.00cvss epss 0.01

    Grafana is an open source data visualization platform for metrics, logs, and traces. Versions prior to 9.1.8 and 8.5.14 allow one user to block another user's login attempt by registering someone else'e email address as a username. A Grafana user’s username and email address…

  • CVE-2022-36062Sep 22, 2022
    risk 0.00cvss epss 0.01

    Grafana is an open-source platform for monitoring and observability. In versions prior to 8.5.13, 9.0.9, and 9.1.6, Grafana is subject to Improper Preservation of Permissions resulting in privilege escalation on some folders where Admin is the only used permission. The…

  • CVE-2022-35957Sep 20, 2022
    risk 0.00cvss epss 0.01

    Grafana is an open-source platform for monitoring and observability. Versions prior to 9.1.6 and 8.5.13 are vulnerable to an escalation from admin to server admin when auth proxy is used, allowing an admin to take over the server admin account and gain full control of the…

  • CVE-2022-31176Sep 2, 2022
    risk 0.00cvss epss 0.01

    Grafana Image Renderer is a Grafana backend plugin that handles rendering of panels & dashboards to PNGs using a headless browser (Chromium/Chrome). An internal security review identified an unauthorized file disclosure vulnerability. It is possible for a malicious user to…

  • CVE-2022-31107Jul 15, 2022
    risk 0.00cvss epss 0.02

    Grafana is an open-source platform for monitoring and observability. In versions 5.3 until 9.0.3, 8.5.9, 8.4.10, and 8.3.10, it is possible for a malicious user who has authorization to log into a Grafana instance via a configured OAuth IdP which provides a login name to take…

  • CVE-2022-29170May 20, 2022
    risk 0.00cvss epss 0.01

    Grafana is an open-source platform for monitoring and observability. In Grafana Enterprise, the Request security feature allows list allows to configure Grafana in a way so that the instance doesn’t call or only calls specific hosts. The vulnerability present starting with…

  • CVE-2022-28660May 20, 2022
    risk 0.00cvss epss 0.01

    The querier component in Grafana Enterprise Logs 1.1.x through 1.3.x before 1.4.0 does not require authentication when X-Scope-OrgID is used. Versions 1.2.1, 1.3.1, and 1.4.0 contain the bugfix. This affects -auth.type=enterprise in microservices mode

  • CVE-2022-24812Apr 12, 2022
    risk 0.00cvss epss 0.02

    Grafana is an open-source platform for monitoring and observability. When fine-grained access control is enabled and a client uses Grafana API Key to make requests, the permissions for that API Key are cached for 30 seconds for the given organization. Because of the way the…

  • CVE-2022-21713Feb 8, 2022
    risk 0.00cvss epss 0.01

    Grafana is an open-source platform for monitoring and observability. Affected versions of Grafana expose multiple API endpoints which do not properly handle user authorization. `/teams/:teamId` will allow an authenticated attacker to view unintended data by querying for the…

  • CVE-2022-21703Feb 8, 2022
    risk 0.00cvss epss 0.02

    Grafana is an open-source platform for monitoring and observability. Affected versions are subject to a cross site request forgery vulnerability which allows attackers to elevate their privileges by mounting cross-origin attacks against authenticated high-privilege Grafana users…

  • CVE-2022-21702Feb 8, 2022
    risk 0.00cvss epss 0.02

    Grafana is an open-source platform for monitoring and observability. In affected versions an attacker could serve HTML content thru the Grafana datasource or plugin proxy and trick a user to visit this HTML page using a specially crafted link and execute a Cross-site Scripting…

  • CVE-2022-21673Jan 18, 2022
    risk 0.00cvss epss 0.02

    Grafana is an open-source platform for monitoring and observability. In affected versions when a data source has the Forward OAuth Identity feature enabled, sending a query to that datasource with an API token (and no other user credentials) will forward the OAuth Identity of…

  • CVE-2021-43815Dec 10, 2021
    risk 0.00cvss epss 0.02

    Grafana is an open-source platform for monitoring and observability. Grafana prior to versions 8.3.2 and 7.5.12 has a directory traversal for arbitrary .csv files. It only affects instances that have the developer testing tool called TestData DB data source enabled and…

  • CVE-2021-41244Nov 15, 2021
    risk 0.00cvss epss 0.03

    Grafana is an open-source platform for monitoring and observability. In affected versions when the fine-grained access control beta feature is enabled and there is more than one organization in the Grafana instance admins are able to access users from other organizations.…

  • CVE-2021-41174Nov 3, 2021
    risk 0.00cvss epss 0.85

    Grafana is an open-source platform for monitoring and observability. In affected versions if an attacker is able to convince a victim to visit a URL referencing a vulnerable page, arbitrary JavaScript content may be executed within the context of the victim's browser. The user…

  • CVE-2021-31231Apr 30, 2021
    risk 0.00cvss epss 0.00

    The Alertmanager in Grafana Enterprise Metrics before 1.2.1 and Metrics Enterprise 1.2.1 has a local file disclosure vulnerability when experimental.alertmanager.enable-api is used. The HTTP basic auth password_file can be used as an attack vector to send any file content via a…

  • CVE-2021-28147Mar 22, 2021
    risk 0.00cvss epss 0.02

    The team sync HTTP API in Grafana Enterprise 6.x before 6.7.6, 7.x before 7.3.10, and 7.4.x before 7.4.5 has an Incorrect Access Control issue. On Grafana instances using an external authentication service and having the EditorsCanAdmin feature enabled, this vulnerability allows…

  • CVE-2021-28146Mar 22, 2021
    risk 0.00cvss epss 0.01

    The team sync HTTP API in Grafana Enterprise 7.4.x before 7.4.5 has an Incorrect Access Control issue. On Grafana instances using an external authentication service, this vulnerability allows any authenticated user to add external groups to existing teams. This can be used to…

  • CVE-2021-27962Mar 22, 2021
    risk 0.00cvss epss 0.02

    Grafana Enterprise 7.2.x and 7.3.x before 7.3.10 and 7.4.x before 7.4.5 allows a dashboard editor to bypass a permission check concerning a data source they should not be able to access.

  • CVE-2020-13429May 24, 2020
    risk 0.00cvss epss 0.01

    legend.ts in the piechart-panel (aka Pie Chart Panel) plugin before 1.5.0 for Grafana allows XSS via the Values Header (aka legend header) option.

  • CVE-2020-12052Apr 27, 2020
    risk 0.00cvss epss 0.01

    Grafana version < 6.7.3 is vulnerable for annotation popup XSS.

  • CVE-2019-15635Sep 23, 2019
    risk 0.00cvss epss 0.02

    An issue was discovered in Grafana 5.4.0. Passwords for data sources used by Grafana (e.g., MySQL) are not encrypted. An admin user can reveal passwords for any data source by pressing the "Save and test" button within a data source's settings menu. When watching the transaction…

Page 3 of 3