Grafana — свободная программная система визуализации данных, ориентированная на данные систем ИТ-мониторинга.
Релизный цикл, информация об уязвимостях
График релизов
Количество 394
CVE-2024-10452
Organization admins can delete pending invites created in an organization they are not part of.
BDU:2025-01981
Уязвимость веб-инструмента представления данных Grafana, связанная с обходом авторизации с помощью ключа, контролируемого пользователем, позволяющая нарушителю оказать влияние на целостность защищаемой информации
CVE-2024-9264
The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are insufficiently sanitized before being passed to `duckdb`, leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or higher permission is capable of executing this attack. The `duckdb` binary must be present in Grafana's $PATH for this attack to function; by default, this binary is not installed in Grafana distributions.
GHSA-q99m-qcv4-fpm7
Grafana Command Injection And Local File Inclusion Via Sql Expressions
CVE-2024-9264
The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are insufficiently sanitized before being passed to `duckdb`, leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or higher permission is capable of executing this attack. The `duckdb` binary must be present in Grafana's $PATH for this attack to function; by default, this binary is not installed in Grafana distributions.
CVE-2024-9264
The SQL Expressions experimental feature of Grafana allows for the eva ...
CVE-2024-9264
The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are insufficiently sanitized before being passed to `duckdb`, leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or higher permission is capable of executing this attack. The `duckdb` binary must be present in Grafana's $PATH for this attack to function; by default, this binary is not installed in Grafana distributions.
BDU:2024-07696
Уязвимость реализации прикладного программного интерфейса Endpoint платформы для мониторинга и наблюдения Grafana, позволяющая нарушителю повысить свои привилегии
BDU:2024-08254
Уязвимость функции Expressions платформы для мониторинга и наблюдения Grafana, позволяющая нарушителю выполнить произвольный код
BDU:2024-09900
Уязвимость функции Organizations платформы для мониторинга и наблюдения Grafana, позволяющая нарушителю повысить свои привилегии
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано 1 | |
|---|---|---|---|---|
 | CVE-2024-10452 Organization admins can delete pending invites created in an organization they are not part of. | CVSS3: 2.2 | 0% Низкий | около 1 года назад |
 | BDU:2025-01981 Уязвимость веб-инструмента представления данных Grafana, связанная с обходом авторизации с помощью ключа, контролируемого пользователем, позволяющая нарушителю оказать влияние на целостность защищаемой информации | CVSS3: 2.7 | 0% Низкий | около 1 года назад |
| CVE-2024-9264 The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are insufficiently sanitized before being passed to `duckdb`, leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or higher permission is capable of executing this attack. The `duckdb` binary must be present in Grafana's $PATH for this attack to function; by default, this binary is not installed in Grafana distributions. | CVSS3: 9.9 | 94% Критический | около 1 года назад |
| GHSA-q99m-qcv4-fpm7 Grafana Command Injection And Local File Inclusion Via Sql Expressions | CVSS3: 9.9 | 94% Критический | около 1 года назад |
 | CVE-2024-9264 The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are insufficiently sanitized before being passed to `duckdb`, leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or higher permission is capable of executing this attack. The `duckdb` binary must be present in Grafana's $PATH for this attack to function; by default, this binary is not installed in Grafana distributions. | CVSS3: 9.9 | 94% Критический | около 1 года назад |
| CVE-2024-9264 The SQL Expressions experimental feature of Grafana allows for the eva ... | CVSS3: 9.9 | 94% Критический | около 1 года назад |
 | CVE-2024-9264 The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are insufficiently sanitized before being passed to `duckdb`, leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or higher permission is capable of executing this attack. The `duckdb` binary must be present in Grafana's $PATH for this attack to function; by default, this binary is not installed in Grafana distributions. | CVSS3: 9.9 | 94% Критический | около 1 года назад |
| BDU:2024-07696 Уязвимость реализации прикладного программного интерфейса Endpoint платформы для мониторинга и наблюдения Grafana, позволяющая нарушителю повысить свои привилегии | CVSS3: 4.1 | 0% Низкий | около 1 года назад |
| BDU:2024-08254 Уязвимость функции Expressions платформы для мониторинга и наблюдения Grafana, позволяющая нарушителю выполнить произвольный код | CVSS3: 9.9 | 94% Критический | около 1 года назад |
| BDU:2024-09900 Уязвимость функции Organizations платформы для мониторинга и наблюдения Grafana, позволяющая нарушителю повысить свои привилегии | CVSS3: 4.2 | 0% Низкий | больше 1 года назад |
Уязвимостей на страницу