Grafana — свободная программная система визуализации данных, ориентированная на данные систем ИТ-мониторинга.
Релизный цикл, информация об уязвимостях
График релизов
Количество 391
CVE-2023-3128
Grafana is validating Azure AD accounts based on the email claim. On ...
CVE-2023-3128
Grafana is validating Azure AD accounts based on the email claim. On Azure AD, the profile email field is not unique and can be easily modified. This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app.
CVE-2023-3128
Grafana is validating Azure AD accounts based on the email claim. On Azure AD, the profile email field is not unique and can be easily modified. This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app.
BDU:2023-03343
Уязвимость веб-инструмента представления данных Grafana, связанная с обходом аутентификации посредством спуфинга, позволяющая нарушителю получить полный доступ к учетной записи пользователя
GHSA-cvm3-pp2j-chr3
Grafana has Broken Access Control in Alert manager: Viewer can send test alerts
GHSA-x2w4-c67p-g44j
Grafana Missing Synchronization vulnerability
CVE-2023-2801
Grafana is an open-source platform for monitoring and observability. Using public dashboards users can query multiple distinct data sources using mixed queries. However such query has a possibility of crashing a Grafana instance. The only feature that uses mixed queries at the moment is public dashboards, but it's also possible to cause this by calling the query API directly. This might enable malicious users to crash Grafana instances through that endpoint. Users may upgrade to version 9.4.12 and 9.5.3 to receive a fix.
CVE-2023-2801
Grafana is an open-source platform for monitoring and observability. ...
CVE-2023-2183
Grafana is an open-source platform for monitoring and observability. The option to send a test alert is not available from the user panel UI for users having the Viewer role. It is still possible for a user with the Viewer role to send a test alert using the API as the API does not check access to this function. This might enable malicious users to abuse the functionality by sending multiple alert messages to e-mail and Slack, spamming users, prepare Phishing attack or block SMTP server. Users may upgrade to version 9.5.3, 9.4.12, 9.3.15, 9.2.19 and 8.5.26 to receive a fix.
CVE-2023-2183
Grafana is an open-source platform for monitoring and observability. ...
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано 1 | |
|---|---|---|---|---|
| CVE-2023-3128 Grafana is validating Azure AD accounts based on the email claim. On ... | CVSS3: 9.4 | 2% Низкий | больше 2 лет назад |
 | CVE-2023-3128 Grafana is validating Azure AD accounts based on the email claim. On Azure AD, the profile email field is not unique and can be easily modified. This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app. | CVSS3: 9.4 | 2% Низкий | больше 2 лет назад |
 | CVE-2023-3128 Grafana is validating Azure AD accounts based on the email claim. On Azure AD, the profile email field is not unique and can be easily modified. This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app. | CVSS3: 9.8 | 2% Низкий | больше 2 лет назад |
 | BDU:2023-03343 Уязвимость веб-инструмента представления данных Grafana, связанная с обходом аутентификации посредством спуфинга, позволяющая нарушителю получить полный доступ к учетной записи пользователя | CVSS3: 9.4 | 2% Низкий | больше 2 лет назад |
| GHSA-cvm3-pp2j-chr3 Grafana has Broken Access Control in Alert manager: Viewer can send test alerts | CVSS3: 4.1 | 1% Низкий | больше 2 лет назад |
| GHSA-x2w4-c67p-g44j Grafana Missing Synchronization vulnerability | CVSS3: 7.5 | 1% Низкий | больше 2 лет назад |
 | CVE-2023-2801 Grafana is an open-source platform for monitoring and observability. Using public dashboards users can query multiple distinct data sources using mixed queries. However such query has a possibility of crashing a Grafana instance. The only feature that uses mixed queries at the moment is public dashboards, but it's also possible to cause this by calling the query API directly. This might enable malicious users to crash Grafana instances through that endpoint. Users may upgrade to version 9.4.12 and 9.5.3 to receive a fix. | CVSS3: 7.5 | 1% Низкий | больше 2 лет назад |
| CVE-2023-2801 Grafana is an open-source platform for monitoring and observability. ... | CVSS3: 7.5 | 1% Низкий | больше 2 лет назад |
| CVE-2023-2183 Grafana is an open-source platform for monitoring and observability. The option to send a test alert is not available from the user panel UI for users having the Viewer role. It is still possible for a user with the Viewer role to send a test alert using the API as the API does not check access to this function. This might enable malicious users to abuse the functionality by sending multiple alert messages to e-mail and Slack, spamming users, prepare Phishing attack or block SMTP server. Users may upgrade to version 9.5.3, 9.4.12, 9.3.15, 9.2.19 and 8.5.26 to receive a fix. | CVSS3: 4.1 | 1% Низкий | больше 2 лет назад |
| CVE-2023-2183 Grafana is an open-source platform for monitoring and observability. ... | CVSS3: 4.1 | 1% Низкий | больше 2 лет назад |
Уязвимостей на страницу