Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

suse-cvrf логотип

openSUSE-SU-2026:20940-1

Опубликовано: 10 июн. 2026
Источник: suse-cvrf

Описание

Security update for grafana

This update for grafana fixes the following issues:

Changes in grafana:

  • CVE-2026-39821: Fix validation bypass and privilege escalation by updating golang.org/x/net to version 0.55.0 (bsc#1266600)

  • Update to version 11.6.14+security-04: Security:

    • CVE-2026-28374: Fix insecure direct object reference in Annotations API (bsc#1265290)
    • CVE-2026-28376: Fix unbounded memory allocation in Grafana Live push endpoint (bsc#1265289)
    • CVE-2026-28383: Fix unbounded memory allocation in Grafana plugin resources (bsc#1265286)
    • CVE-2026-28380: Fix broken access control in Snapshot API (bsc#1265287)
    • CVE-2026-33376: Fix Auth Proxy IPv6 whitelist bypass (bsc#1265285)
    • CVE-2026-28379: Fix viewer-triggered race condition in Grafana Live (bsc#1265288)
    • CVE-2026-33377: Fix dashboard Editor Privilege Escalation (bsc#1265284)
    • CVE-2026-33378: Fix OOM exception in Grafana Data Source Plugin (bsc#1265283)
    • CVE-2026-33381: Prevent users from generating Service Account tokens after permissions removal (bsc#1265281)
    • CVE-2026-33380: Fix vulnerability in SQL Expressions allowing an authenticated attacker to read arbitrary files from the Grafana server’s filesystem (bsc#1265282)

  • CVE-2026-34986: Fix panic in JWE decryption (bsc#1262950)

  • CVE-2026-41602: Fix Integer Overflow or Wraparound vulnerability in Apache Thrift (bsc#1263501)

  • CVE-2026-26958: Bump filippo.io/edwards25519 to version 1.1.1 (bsc#1258595)

  • CVE-2026-21725: Fix missing UID when deleting datasource by name (bsc#1258873)

  • Update to version 11.6.14+security-01: Security:

    • CVE-2026-33375: Fix denial of Service via out-of-memory exhaustion in MSSQL data source plugin (bsc#1260881)

  • Update to version 11.6.14: Security:

    • CVE-2026-27876: Fix remote arbitrary code execution via chained SQL Expressions (bsc#1261025)
    • CVE-2026-27877: Fix information disclosure of data-source passwords via public dashboards (bsc#1261026)
    • CVE-2026-28375: Fix denial of service via testdata data-source (bsc#1261029)
    • CVE-2026-27879: Fix denial of service via resample query (bsc#1261027)
    • CVE-2026-33186: Fix authorization bypass due to improper validation of the HTTP/2 :path pseudo-header (bsc#1260263)
    • CVE-2026-21724: Fix authorization bypass allows modification of protected webhook URLs (bsc#1260878)

  • Update to version 11.6.13: Enhancement:

    • Wire the public dashboard service to the HTTP server

  • Update to version 11.6.12: Enhancement:

    • Update authentication redirect logic Bug fix:
    • Fix single panel render with variable references

Список пакетов

openSUSE Leap 16.0
grafana-11.6.14+security04-bp160.1.1

Ссылки

Описание

go-redis is the official Redis client library for the Go programming language. Prior to 9.5.5, 9.6.3, and 9.7.3, go-redis potentially responds out of order when `CLIENT SETINFO` times out during connection establishment. This can happen when the client is configured to transmit its identity, there are network connectivity issues, or the client was configured with aggressive timeouts. The problem occurs for multiple use cases. For sticky connections, you receive persistent out-of-order responses for the lifetime of the connection. All commands in the pipeline receive incorrect responses. When used with the default ConnPool once a connection is returned after use with ConnPool#Put the read buffer will be checked and the connection will be marked as bad due to the unread data. This means that at most one out-of-order response before the connection is discarded. This issue is fixed in 9.5.5, 9.6.3, and 9.7.3. You can prevent the vulnerability by setting the flag DisableIndentity to true when constructing the client instance.

Затронутые продукты
openSUSE Leap 16.0:grafana-11.6.14+security04-bp160.1.1
Ссылки

Описание

kin-openapi is a Go project for handling OpenAPI files. Prior to 0.131.0, when validating a request with a multipart/form-data schema, if the OpenAPI schema allows it, an attacker can upload a crafted ZIP file (e.g., a ZIP bomb), causing the server to consume all available system memory. The root cause comes from the ZipFileBodyDecoder, which is registered automatically by the module (contrary to what the documentation says). This vulnerability is fixed in 0.131.0.

Затронутые продукты
openSUSE Leap 16.0:grafana-11.6.14+security04-bp160.1.1
Ссылки

Описание

A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role to modify protected webhook URLs without the required alert.notifications.receivers.protected:write permission.

Затронутые продукты
openSUSE Leap 16.0:grafana-11.6.14+security04-bp160.1.1
Ссылки

Описание

A time-of-create-to-time-of-use (TOCTOU) vulnerability lets recently deleted-then-recreated data sources be re-deleted without permission to do so. This requires several very stringent conditions to be met: - The attacker must have admin access to the specific datasource prior to its first deletion. - Upon deletion, all steps within the attack must happen within the next 30 seconds and on the same pod of Grafana. - The attacker must delete the datasource, then someone must recreate it. - The new datasource must not have the attacker as an admin. - The new datasource must have the same UID as the prior datasource. These are randomised by default. - The datasource can now be re-deleted by the attacker. - Once 30 seconds are up, the attack is spent and cannot be repeated. - No datasource with any other UID can be attacked.

Затронутые продукты
openSUSE Leap 16.0:grafana-11.6.14+security04-bp160.1.1
Ссылки

Описание

filippo.io/edwards25519 is a Go library implementing the edwards25519 elliptic curve with APIs for building cryptographic primitives. In versions 1.1.0 and earlier, MultiScalarMult produces invalid results or undefined behavior if the receiver is not the identity point. If (*Point).MultiScalarMult is called on an initialized point that is not the identity point, it returns an incorrect result. If the method is called on an uninitialized point, the behavior is undefined. In particular, if the receiver is the zero value, MultiScalarMult returns an invalid point that compares Equal to every other point. Note that MultiScalarMult is a rarely used, advanced API. For example, users who depend on filippo.io/edwards25519 only through github.com/go-sql-driver/mysql are not affected. This issue has been fixed in version 1.1.1.

Затронутые продукты
openSUSE Leap 16.0:grafana-11.6.14+security04-bp160.1.1
Ссылки

Описание

A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impact (RCE). This is enabled by a feature in Grafana (OSS), so all users are always recommended to update to avoid future attack vectors going this path. Only instances with the sqlExpressions feature toggle enabled are vulnerable. Only instances in the following version ranges are affected: - 11.6.0 (inclusive) to 11.6.14 (exclusive): 11.6.14 has the fix. 11.5 and below are not affected. - 12.0.0 (inclusive) to 12.1.10 (exclusive): 12.1.10 has the fix. 12.0 did not receive an update, as it is end-of-life. - 12.2.0 (inclusive) to 12.2.8 (exclusive): 12.2.8 has the fix. - 12.3.0 (inclusive) to 12.3.6 (exclusive): 12.3.6 has the fix. - 12.4.0 (inclusive) to 12.4.2 (exclusive): 12.4.2 has the fix. 13.0.0 and above also have the fix: no v13 release is affected.

Затронутые продукты
openSUSE Leap 16.0:grafana-11.6.14+security04-bp160.1.1
Ссылки

Описание

When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards. No passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as possible to improve your deployments' security.

Затронутые продукты
openSUSE Leap 16.0:grafana-11.6.14+security04-bp160.1.1
Ссылки

Описание

A resample query can be used to trigger out-of-memory crashes in Grafana.

Затронутые продукты
openSUSE Leap 16.0:grafana-11.6.14+security04-bp160.1.1
Ссылки

Описание

Editors could delete any annotation, even those they do not have read access to. The editor user cannot create or read the annotations.

Затронутые продукты
openSUSE Leap 16.0:grafana-11.6.14+security04-bp160.1.1
Ссылки

Описание

A testdata data-source can be used to trigger out-of-memory crashes in Grafana.

Затронутые продукты
openSUSE Leap 16.0:grafana-11.6.14+security04-bp160.1.1
Ссылки

Описание

The Grafana Live push endpoint can be exploited to cause unbounded memory allocation by sending a large or streaming request body, potentially leading to out-of-memory conditions. An authenticated user with access to the Grafana Live API can trigger this issue.

Затронутые продукты
openSUSE Leap 16.0:grafana-11.6.14+security04-bp160.1.1
Ссылки

Описание

A race condition in Grafana Live allows authenticated users with Viewer role to trigger a server crash by sending concurrent requests that cause a fatal map access error. This results in complete service unavailability requiring restart of the Grafana server.

Затронутые продукты
openSUSE Leap 16.0:grafana-11.6.14+security04-bp160.1.1
Ссылки

Описание

Any Editor could delete any snapshot, even if they have no access to read or write them.

Затронутые продукты
openSUSE Leap 16.0:grafana-11.6.14+security04-bp160.1.1
Ссылки

Описание

A request to the Grafana plugin resources endpoint can cause unbounded memory allocation by reading the entire request body into memory. An authenticated user can exploit this to trigger an out-of-memory condition, potentially causing a denial of service.

Затронутые продукты
openSUSE Leap 16.0:grafana-11.6.14+security04-bp160.1.1
Ссылки

Описание

gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, "deny" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback "allow" rule was present. This affects gRPC-Go servers that use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`; AND that have a security policy contains specific "deny" rules for canonical paths but allows other requests by default (a fallback "allow" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server. The fix in version 1.79.3 ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: Use a validating interceptor (recommended mitigation); infrastructure-level normalization; and/or policy hardening.

Затронутые продукты
openSUSE Leap 16.0:grafana-11.6.14+security04-bp160.1.1
Ссылки

Описание

The Grafana MSSQL data source plugin contains a logic flaw that allows a low-privileged user (Viewer) to bypass API restrictions and trigger a catastrophic Out-Of-Memory (OOM) memory exhaustion, crashing the host container.

Затронутые продукты
openSUSE Leap 16.0:grafana-11.6.14+security04-bp160.1.1
Ссылки

Описание

When using an IPv6 allow-list for the Auth Proxy feature, it defaults to /32 addresses. Addresses specifying a mask explicitly are not affected; to mitigate easily, add the desired mask (usually /128) to the addresses. Only auth proxy is affected; Okta, SAML, LDAP, etc are unaffected here.

Затронутые продукты
openSUSE Leap 16.0:grafana-11.6.14+security04-bp160.1.1
Ссылки

Описание

An Editor can overwrite a dashboard not owned by them to acquire admin on that specific dashboard. The user must have write access to the dashboard to escalate privilege.

Затронутые продукты
openSUSE Leap 16.0:grafana-11.6.14+security04-bp160.1.1
Ссылки

Описание

Using the $__timeGroup macro, one can achieve an OOM by overloading the server. This requires a SQL datasource. If the server is set up to auto-restart, the impact is minimal or non-existent, as the attack can take upwards of half an hour to crash the server.

Затронутые продукты
openSUSE Leap 16.0:grafana-11.6.14+security04-bp160.1.1
Ссылки

Описание

A vulnerability in SQL Expressions allows an authenticated attacker to read arbitrary files from the Grafana server's filesystem. Only instances with the sqlExpressions feature toggle enabled are vulnerable.

Затронутые продукты
openSUSE Leap 16.0:grafana-11.6.14+security04-bp160.1.1
Ссылки

Описание

When a user's access to mint tokens for a service account is revoked, it is sometimes still possible to do so for a few seconds after the event. The user will eventually lose access to do this.

Затронутые продукты
openSUSE Leap 16.0:grafana-11.6.14+security04-bp160.1.1
Ссылки

Описание

Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JWE) object will panic if the alg field indicates a key wrapping algorithm (one ending in KW, with the exception of A128GCMKW, A192GCMKW, and A256GCMKW) and the encrypted_key field is empty. The panic happens when cipher.KeyUnwrap() in key_wrap.go attempts to allocate a slice with a zero or negative length based on the length of the encrypted_key. This code path is reachable from ParseEncrypted() / ParseEncryptedJSON() / ParseEncryptedCompact() followed by Decrypt() on the resulting object. Note that the parse functions take a list of accepted key algorithms. If the accepted key algorithms do not include any key wrapping algorithms, parsing will fail and the application will be unaffected. This panic is also reachable by calling cipher.KeyUnwrap() directly with any ciphertext parameter less than 16 bytes long, but calling this function directly is less common. Panics can lead to denial of service. This vulnerability is fixed in 4.1.4 and 3.0.5.

Затронутые продукты
openSUSE Leap 16.0:grafana-11.6.14+security04-bp160.1.1
Ссылки

Описание

The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error. This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".

Затронутые продукты
openSUSE Leap 16.0:grafana-11.6.14+security04-bp160.1.1
Ссылки

Описание

Integer Overflow or Wraparound vulnerability in Apache Thrift TFramedTransport Go language implementation This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.

Затронутые продукты
openSUSE Leap 16.0:grafana-11.6.14+security04-bp160.1.1
Ссылки
Уязвимость openSUSE-SU-2026:20940-1