FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2025-07-21 20:49:39 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML ID	Description
6d31ef38-df85-11ee-abf1-6c3be5272acd	Grafana -- Data source permission escalation Grafana Labs reports: The vulnerability impacts Grafana Cloud and Grafana Enterprise instances, and it is exploitable if a user who should not be able to access all data sources is granted permissions to create a data source. By default, only organization Administrators are allowed to create a data source and have full access to all data sources. All other users need to be explicitly granted permission to create a data source, which then means they could exploit this vulnerability. When a user creates a data source via the API, they can specify data source UID. If the UID is set to an asterisk (), the user gains permissions to query, update, and delete all data sources in the organization. The exploit, however, does not stretch across organizations Ã¢ÂÂ to exploit the vulnerability in several organizations, a user would need permissions to create data sources in each organization. The vulnerability comes from a lack of UID validation. When evaluating permissions, we interpret an asterisk () as a wild card for all resources. Therefore, we should treat it as a reserved value, and not allow the creation of a resource with the UID set to an asterisk. The CVSS score for this vulnerability is 6 Medium. Discovery 2024-02-12 Entry 2024-03-11 Modified 2024-03-26 grafana >= 8.5.0 lt 9.5.17 >= 10.0.0 lt 10.0.12 >= 10.1.0 lt 10.1.8 >= 10.2.0 lt 10.2.5 >= 10.3.0 lt 10.3.4 grafana9 < 9.5.17 CVE-2024-1442 https://grafana.com/security/security-advisories/cve-2024-1442/
310f5923-211c-11f0-8ca6-6c3be5272acd	Grafana -- Authorization bypass in data source proxy API Grafana Labs reports: This vulnerability, which was discovered while reviewing a pull request from an external contributor, effects GrafanaÃ¢ÂÂs data source proxy API and allows authorization checks to be bypassed by adding an extra slash character (/) in the URL path. Among Grafana-maintained data sources, the vulnerability only affects the read paths of Prometheus (all flavors) and Alertmanager when configured with basic authorization. The CVSS score for this vulnerability is 5.0 MEDIUM. Discovery 2025-03-25 Entry 2025-04-24 grafana >= 8.0.0 lt 10.4.17+security-01 >= 11.0.0 lt 11.2.8+security-01 >= 11.3.0 lt 11.3.5+security-01 >= 11.4.0 lt 11.4.3+security-01 >= 11.5.0 lt 11.5.3+security-01 >= 11.6.0 lt 11.6.0+security-01 grafana8 >= 8.0.0 grafana9 >= 9.0.0 CVE-2025-3454 https://grafana.com/blog/2025/04/22/grafana-security-release-medium-and-high-severity-fixes-for-cve-2025-3260-cve-2025-2703-cve-2025-3454/

VuXML ID

Description

6d31ef38-df85-11ee-abf1-6c3be5272acd

Grafana -- Data source permission escalation

Grafana Labs reports:

The vulnerability impacts Grafana Cloud and Grafana Enterprise instances, and it is exploitable if a user who should not be able to access all data sources is granted permissions to create a data source.

By default, only organization Administrators are allowed to create a data source and have full access to all data sources. All other users need to be explicitly granted permission to create a data source, which then means they could exploit this vulnerability.

When a user creates a data source via the API, they can specify data source UID. If the UID is set to an asterisk (*), the user gains permissions to query, update, and delete all data sources in the organization. The exploit, however, does not stretch across organizations Ã¢ÂÂ to exploit the vulnerability in several organizations, a user would need permissions to create data sources in each organization.

The vulnerability comes from a lack of UID validation. When evaluating permissions, we interpret an asterisk (*) as a wild card for all resources. Therefore, we should treat it as a reserved value, and not allow the creation of a resource with the UID set to an asterisk.

The CVSS score for this vulnerability is 6 Medium.

Discovery 2024-02-12
Entry 2024-03-11
Modified 2024-03-26
grafana

>= 8.5.0 lt 9.5.17

>= 10.0.0 lt 10.0.12

>= 10.1.0 lt 10.1.8

>= 10.2.0 lt 10.2.5

>= 10.3.0 lt 10.3.4

grafana9

< 9.5.17

CVE-2024-1442
https://grafana.com/security/security-advisories/cve-2024-1442/

310f5923-211c-11f0-8ca6-6c3be5272acd

Grafana -- Authorization bypass in data source proxy API

Grafana Labs reports:

This vulnerability, which was discovered while reviewing a pull request from an external contributor, effects GrafanaÃ¢ÂÂs data source proxy API and allows authorization checks to be bypassed by adding an extra slash character (/) in the URL path. Among Grafana-maintained data sources, the vulnerability only affects the read paths of Prometheus (all flavors) and Alertmanager when configured with basic authorization.

The CVSS score for this vulnerability is 5.0 MEDIUM.

Discovery 2025-03-25
Entry 2025-04-24
grafana

>= 8.0.0 lt 10.4.17+security-01

>= 11.0.0 lt 11.2.8+security-01

>= 11.3.0 lt 11.3.5+security-01

>= 11.4.0 lt 11.4.3+security-01

>= 11.5.0 lt 11.5.3+security-01

>= 11.6.0 lt 11.6.0+security-01

grafana8

>= 8.0.0

grafana9

>= 9.0.0

CVE-2025-3454
https://grafana.com/blog/2025/04/22/grafana-security-release-medium-and-high-severity-fixes-for-cve-2025-3260-cve-2025-2703-cve-2025-3454/