VuXML ID | Description |
6877e164-6296-11ed-9ca2-6c3be5272acd | Grafana -- Data source and plugin proxy endpoints leaking authentication tokens to some destination plugins
Grafana Labs reports:
On September 7th as a result of an internal security audit we have discovered
that Grafana could leak the authentication cookie of users to plugins. After
further analysis the vulnerability impacts data source and plugin proxy
endpoints under certain conditions.
We believe that this vulnerability is rated at CVSS 6.8
(CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H)
Discovery 2022-09-07 Entry 2022-11-12 grafana
ge 5.0.0 lt 8.5.14
ge 9.0.0 lt 9.1.8
grafana7
ge 7.0.0
grafana8
ge 8.0.0 lt 8.5.14
grafana9
ge 9.0.0 lt 9.1.8
CVE-2022-39201
https://github.com/grafana/grafana/security/advisories/GHSA-x744-mm8v-vpgr
|
ecffb881-a7a7-11ed-8d6a-6c3be5272acd | Grafana -- Stored XSS in ResourcePicker component
Grafana Labs reports:
On 2022-12-16 during an internal audit of Grafana, a member of the security
team found a stored XSS vulnerability affecting the core plugin GeoMap.
The stored XSS vulnerability was possible due to SVG-files weren't properly
sanitized and allowed arbitrary JavaScript to be executed in the context
of the currently authorized user of the Grafana instance.
Discovery 2022-12-16 Entry 2023-02-09 grafana
ge 8.1.0 lt 8.5.16
ge 9.0.0 lt 9.2.10
ge 9.3.0 lt 9.3.4
grafana8
ge 8.1.0 lt 8.5.16
grafana9
ge 9.0.0 lt 9.2.10
ge 9.3.0 lt 9.3.4
CVE-2022-23552
https://github.com/grafana/grafana/security/advisories/GHSA-8xmm-x63g-f6xv
|
d4284c2e-8b83-11ec-b369-6c3be5272acd | Grafana -- CSRF
Grafana Labs reports:
On Jan. 18, security researchers @jub0bs and @abrahack contacted Grafana to disclose a CSRF vulnerability which allows anonymous attackers to elevate their privileges by mounting cross-origin attacks against authenticated high-privilege Grafana users (for example, Editors or Admins). An attacker can exploit this vulnerability for privilege escalation by tricking an authenticated user into inviting the attacker as a new user with high privileges. We believe that this vulnerability is rated at CVSS 6.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N).
Discovery 2022-01-18 Entry 2022-02-12 grafana6
ge 6.0.0
grafana7
< 7.5.15
grafana8
< 8.3.5
CVE-2022-21703
https://grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes/
|
0a80f159-629b-11ed-9ca2-6c3be5272acd | Grafana -- Username enumeration
Grafana Labs reports:
When using the forget password on the login page, a POST request is made
to the /api/user/password/sent-reset-email URL. When the username
or email does not exist, a JSON response contains a âÂÂuser not foundâ message.
The CVSS score for this vulnerability is 5.3 Moderate
Discovery 2022-10-24 Entry 2022-11-12 grafana
ge 8.0.0 lt 8.5.15
ge 9.0.0 lt 9.2.4
grafana8
ge 8.0.0 lt 8.5.15
grafana9
ge 9.0.0 lt 9.2.4
CVE-2022-39307
https://github.com/grafana/grafana/security/advisories/GHSA-3p62-42x7-gxg5
|
e7841611-b808-11ed-b695-6c3be5272acd | Grafana -- Stored XSS in TraceView panel
Grafana Labs reports:
During an internal audit of Grafana on January 30, a member
of the engineering team found a stored XSS vulnerability affecting
the TraceView panel.
The stored XSS vulnerability was possible because the value of a spanâÂÂs
attributes/resources were not properly sanitized, and this will be rendered
when the spanâÂÂs attributes/resources are expanded.
The CVSS score for this vulnerability is 7.3 High
(CVSS:7.3/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N).
Discovery 2023-01-30 Entry 2023-03-01 grafana
< 8.5.21
ge 9.0.0 lt 9.2.13
ge 9.3.0 lt 9.3.8
grafana8
< 8.5.21
grafana9
ge 9.0.0 lt 9.2.13
ge 9.3.0 lt 9.3.8
CVE-2023-0594
https://grafana.com/blog/2023/02/28/grafana-security-release-new-versions-with-security-fixes-for-cve-2023-0594-cve-2023-0507-and-cve-2023-22462/
|
6c1de144-056f-11ee-8e16-6c3be5272acd | Grafana -- Broken access control: viewer can send test alerts
Grafana Labs reports:
Grafana can allow an attacker in the Viewer role
to send alerts by API Alert - Test. This option,
however, is not available in the user panel UI for the Viewer role.
The CVSS score for this vulnerability is 4.1 Medium
(CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N).
Discovery 2023-06-06 Entry 2023-06-07 grafana
ge 8.0.0 lt 8.5.26
ge 9.0.0 lt 9.2.19
ge 9.3.0 lt 9.3.15
ge 9.4.0 lt 9.4.12
ge 9.5.0 lt 9.5.3
grafana8
ge 8.0.0 lt 8.5.26
grafana9
< 9.2.19
ge 9.3.0 lt 9.3.15
ge 9.4.0 lt 9.4.12
ge 9.5.0 lt 9.5.3
CVE-2023-2183
https://grafana.com/security/security-advisories/cve-2023-2183/
|
e6281d88-a7a7-11ed-8d6a-6c3be5272acd | Grafana -- Spoofing originalUrl of snapshots
Grafana Labs reports:
A third-party penetration test of Grafana found a vulnerability
in the snapshot functionality. The value of the originalUrl parameter
is automatically generated. The purpose of the presented originalUrl parameter
is to provide a user who views the snapshot with the possibility to click
on the Local Snapshot button in the Grafana web UI
and be presented with the dashboard that the snapshot captured. The value
of the originalUrl parameter can be arbitrarily chosen by a malicious user that
creates the snapshot. (Note: This can be done by editing the query thanks
to a web proxy like Burp.)
We have assessed this vulnerability as having a CVSS score of 6.7 MEDIUM
(CVSS:6.7/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L).
Discovery 2023-01-25 Entry 2023-02-09 grafana
ge 8.0.0 lt 8.5.16
ge 9.0.0 lt 9.2.10
ge 9.3.0 lt 9.3.4
grafana8
ge 8.0.0 lt 8.5.16
grafana9
ge 9.0.0 lt 9.2.10
ge 9.3.0 lt 9.3.4
CVE-2022-39324
https://github.com/grafana/grafana/security/advisories/GHSA-4724-7jwc-3fpw
|
6eb6a442-629a-11ed-9ca2-6c3be5272acd | Grafana -- Privilege escalation
Grafana Labs reports:
Grafana admins can invite other members to the organization they are
an admin for. When admins add members to the organization, non existing users
get an email invite, existing members are added directly to the organization.
When an invite link is sent, it allows users to sign up with whatever
username/email address the user chooses and become a member of the organization.
The CVSS score for this vulnerability is 6.4 Moderate
Discovery 2022-10-24 Entry 2022-11-12 grafana
ge 8.0.0 lt 8.5.15
ge 9.0.0 lt 9.2.4
grafana8
ge 8.0.0 lt 8.5.15
grafana9
ge 9.0.0 lt 9.2.4
CVE-2022-39306
https://github.com/grafana/grafana/security/advisories/GHSA-2x6g-h2hg-rq84
|
6f6c9420-6297-11ed-9ca2-6c3be5272acd | Grafana -- Data source and plugin proxy endpoints leaking authentication tokens to some destination plugins
Grafana Labs reports:
On June 26 a security researcher contacted Grafana Labs to disclose
a vulnerability with the GitLab data source plugin that could leak the API key
to GitLab. After further analysis the vulnerability impacts data source
and plugin proxy endpoints with authentication tokens but under some conditions.
We believe that this vulnerability is rated at CVSS 4.9
(CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)
Discovery 2022-06-26 Entry 2022-11-12 grafana
ge 7.0.0 lt 8.5.14
ge 9.0.0 lt 9.1.8
grafana7
ge 7.0.0
grafana8
ge 8.0.0 lt 8.5.14
grafana9
ge 9.0.0 lt 9.1.8
CVE-2022-31130
https://github.com/grafana/grafana/security/advisories/GHSA-jv32-5578-pxjc
|
fdbe9aec-118b-11ee-908a-6c3be5272acd | Grafana -- Account takeover / authentication bypass
Grafana Labs reports:
Grafana validates Azure Active Directory accounts based on the email claim.
On Azure AD, the profile email field is not unique across Azure AD tenants.
This can enable a Grafana account takeover and authentication bypass when
Azure AD OAuth is configured with a multi-tenant Azure AD OAuth application.
The CVSS score for this vulnerability is 9.4 Critical.
Discovery 2023-06-22 Entry 2023-06-23 grafana
ge 6.7.0 lt 8.5.27
ge 9.0.0 lt 9.2.20
ge 9.3.0 lt 9.3.16
ge 9.4.0 lt 9.4.13
ge 9.5.0 lt 9.5.5
ge 10.0.0 lt 10.0.1
grafana8
< 8.5.27
grafana9
< 9.2.20
ge 9.3.0 lt 9.3.16
ge 9.4.0 lt 9.4.13
ge 9.5.0 lt 9.5.5
grafana10
< 10.0.1
CVE-2023-3128
https://grafana.com/security/security-advisories/cve-2023-3128
|
909a80ba-6294-11ed-9ca2-6c3be5272acd | Grafana -- Improper authentication
Grafana Labs reports:
On September 7, as a result of an internal security audit, we discovered
a security vulnerability in GrafanaâÂÂs basic authentication related to the usage
of username and email address.
n Grafana, a userâÂÂs username and email address are unique fields, which
means no other user can have the same username or email address as another user.
In addition, a user can have an email address as a username, and the Grafana
login allows users to sign in with either username or email address. This
creates an unusual behavior, where user_1 can register with one email
address and user_2 can register their username as user_1âÂÂs
email address. As a result, user_1 would be prevented from signing
in to Grafana, since user_1 password wonâÂÂt match with user_2
email address.
The CVSS score for this vulnerability is 4.3 moderate
(CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L).
Discovery 2022-09-07 Entry 2022-11-12 grafana
ge 8.0.0 lt 8.5.14
ge 9.0.0 lt 9.1.8
grafana8
ge 8.0.0 lt 8.5.14
grafana9
ge 9.0.0 lt 9.1.8
CVE-2022-39229
https://github.com/grafana/grafana/security/advisories/GHSA-gj7m-853r-289r
|
e2a8e2bd-b808-11ed-b695-6c3be5272acd | Grafana -- Stored XSS in geomap panel plugin via attribution
Grafana Labs reports:
During an internal audit of Grafana on January 25, a member of the security
team found a stored XSS vulnerability affecting the core geomap plugin.
The stored XSS vulnerability was possible because map attributions werenâÂÂt
properly sanitized, allowing arbitrary JavaScript to be executed in the context
of the currently authorized user of the Grafana instance.
The CVSS score for this vulnerability is 7.3 High
(CVSS:7.3/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N).
Discovery 2023-01-25 Entry 2023-03-01 grafana
< 8.5.21
ge 9.0.0 lt 9.2.13
ge 9.3.0 lt 9.3.8
grafana8
< 8.5.21
grafana9
ge 9.0.0 lt 9.2.13
ge 9.3.0 lt 9.3.8
CVE-2023-0507
https://grafana.com/blog/2023/02/28/grafana-security-release-new-versions-with-security-fixes-for-cve-2023-0594-cve-2023-0507-and-cve-2023-22462/
|
95e6e6ca-3986-11ed-8e0c-6c3be5272acd | Grafana -- Privilege escalation
Grafana Labs reports:
On August 9 an internal security review identified a vulnerability
in the Grafana which allows an escalation from Admin privileges
to Server Admin when Auth proxy authentication is used.
Auth proxy allows to authenticate a user by only providing the username
(or email) in a X-WEBAUTH-USER HTTP header: the trust assumption
is that a front proxy will take care of authentication and that Grafana server
is publicly reachable only with this front proxy.
Datasource proxy breaks this assumption:
- it is possible to configure a fake datasource pointing to a localhost
Grafana install with a
X-WEBAUTH-USER HTTP header containing
admin username.
- This fake datasource can be called publicly via this proxying feature.
The CVSS score for this vulnerability is 6.6 Moderate
(CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Discovery 2022-08-09 Entry 2022-09-21 grafana
ge 2.1.0 lt 8.5.13
ge 9.0.0 lt 9.0.9
ge 9.1.0 lt 9.1.6
grafana7
ge 7.0
grafana8
ge 8.0.0 lt 8.5.13
grafana9
ge 9.0.0 lt 9.0.9
ge 9.1.0 lt 9.1.6
CVE-2022-35957
https://github.com/grafana/grafana/security/advisories/GHSA-ff5c-938w-8c9q
|
a994ff7d-5b3f-11ec-8398-6c3be5272acd | Grafana -- Directory Traversal
GitHub Security Labs reports:
A vulnerability through which authenticated users could read out fully lowercase or fully uppercase .md files through directory traversal. Doing our own follow-up investigation we found a related vulnerability through which authenticated users could read out arbitrary .csv files through directory traversal. Thanks to our defense-in-depth approach, at no time has Grafana Cloud been vulnerable.
The vulnerable URL path is: /api/plugins/.*/markdown/.* for .md files
Discovery 2021-12-09 Entry 2021-12-12 grafana
ge 5.0.0 lt 7.5.12
ge 8.0.0 lt 8.3.2
grafana6
ge 6.0.0
grafana7
ge 7.0.0 lt 7.5.12
grafana8
ge 8.0.0 lt 8.3.2
CVE-2021-43813
https://grafana.com/blog/2021/12/10/grafana-8.3.2-and-7.5.12-released-with-moderate-severity-security-fix/
|
c2a7de31-5b42-11ec-8398-6c3be5272acd | Grafana -- Directory Traversal
GitHub Security Labs reports:
A vulnerability through which authenticated users could read out fully lowercase or fully uppercase .md files through directory traversal. Doing our own follow-up investigation we found a related vulnerability through which authenticated users could read out arbitrary .csv files through directory traversal. Thanks to our defense-in-depth approach, at no time has Grafana Cloud been vulnerable.
The vulnerable URL path is: /api/ds/query
Discovery 2021-12-09 Entry 2021-12-12 grafana
grafana8
ge 8.0.0 lt 8.3.2
CVE-2021-43815
https://grafana.com/blog/2021/12/10/grafana-8.3.2-and-7.5.12-released-with-moderate-severity-security-fix/
|
4e60d660-6298-11ed-9ca2-6c3be5272acd | Grafana -- Plugin signature bypass
Grafana Labs reports:
On July 4th as a result of an internal security audit we have discovered
a bypass in the plugin signature verification by exploiting a versioning flaw.
We believe that this vulnerability is rated at CVSS 6.1
(CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L).
Discovery 2022-07-04 Entry 2022-11-12 grafana
ge 7.0.0 lt 8.5.14
ge 9.0.0 lt 9.1.8
grafana7
ge 7.0.0
grafana8
ge 8.0.0 lt 8.5.14
grafana9
ge 9.0.0 lt 9.1.8
CVE-2022-31123
https://github.com/grafana/grafana/security/advisories/GHSA-rhxj-gh46-jvw8
|
d71d154a-8b83-11ec-b369-6c3be5272acd | Grafana -- Teams API IDOR
Grafana Labs reports:
On Jan. 18, an external security researcher, KürÃ
Âad ALSAN from NSPECT.IO (@nspectio on Twitter), contacted Grafana to disclose an IDOR (Insecure Direct Object Reference) vulnerability on Grafana Teams APIs. This vulnerability only impacts the following API endpoints:
- /teams/:teamId - an authenticated attacker can view unintended data by querying for the specific team ID.
- /teams/:search - an authenticated attacker can search for teams and see the total number of available teams, including for those teams that the user does not have access to.
- /teams/:teamId/members - when editors_can_admin flag is enabled, an authenticated attacker can see unintended data by querying for the specific team ID.
We believe that this vulnerability is rated at CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).
Discovery 2022-01-18 Entry 2022-02-12 grafana6
ge 6.0.0
grafana7
< 7.5.15
grafana8
< 8.3.5
CVE-2022-21713
https://grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes/
|
cecbc674-8b83-11ec-b369-6c3be5272acd | Grafana -- XSS
Grafana Labs reports:
On Jan. 16, an external security researcher, Jasu Viding contacted Grafana to disclose an XSS vulnerability in the way that Grafana handles data sources. Should an existing data source connected to Grafana be compromised, it could be used to inappropriately gain access to other data sources connected to the same Grafana org. We believe that this vulnerability is rated at CVSS 6.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N).
Discovery 2022-01-16 Entry 2022-02-12 grafana6
ge 6.0.0
grafana7
< 7.5.15
grafana8
< 8.3.5
CVE-2022-21702
https://grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes/
|
955eb3cc-ce0b-11ed-825f-6c3be5272acd | Grafana -- Stored XSS in Graphite FunctionDescription tooltip
Grafana Labs reports:
When a user adds a Graphite data source, they can then use the data source
in a dashboard. This capability contains a feature to use Functions. Once
a function is selected, a small tooltip appears when hovering over the name
of the function. This tooltip allows you to delete the selected Function
from your query or show the Function Description. However, no sanitization
is done when adding this description to the DOM.
Since it is not uncommon to connect to public data sources, an attacker
could host a Graphite instance with modified Function Descriptions containing
XSS payloads. When the victim uses it in a query and accidentally hovers
over the Function Description, an attacker-controlled XSS payload
will be executed.
The severity of this vulnerability is of CVSSv3.1 5.7 Medium
(CVSS: AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N (5.7)).
Discovery 2023-03-14 Entry 2023-03-29 grafana
< 8.5.22
ge 9.0.0 lt 9.2.15
ge 9.3.0 lt 9.3.11
ge 9.4.0 lt 9.4.7
grafana8
< 8.5.22
grafana9
< 9.2.15
ge 9.3.0 lt 9.3.11
ge 9.4.0 lt 9.4.7
CVE-2023-1410
https://grafana.com/security/security-advisories/cve-2023-1410/
|
0b85b1cd-e468-11ed-834b-6c3be5272acd | Grafana -- Critical vulnerability in golang
Grafana Labs reports:
An issue in how go handles backticks (`) with Javascript can lead to
an injection of arbitrary code into go templates. While Grafana Labs software
contains potentially vulnerable versions of go, we have not identified any
exploitable use cases at this time.
The CVSS score for this vulnerability is 0.0 (adjusted), 9.8 (base).
Discovery 2023-04-19 Entry 2023-04-26 grafana
< 8.5.24
ge 9.0.0 lt 9.2.17
ge 9.3.0 lt 9.3.13
ge 9.4.0 lt 9.4.9
grafana8
< 8.5.24
grafana9
< 9.2.17
ge 9.3.0 lt 9.3.13
ge 9.4.0 lt 9.4.9
CVE-2023-24538
https://grafana.com/blog/2023/04/26/precautionary-patches-for-grafana-released-following-critical-go-vulnerability-cve-2023-24538/
|