Количество 380
Количество 380
RLSA-2023:4030
Critical: grafana security update
RLSA-2022:1781
Low: grafana security, bug fix, and enhancement update
RLSA-2021:3771
Important: grafana security update
GHSA-xw5p-hw8j-xg4q
Grafana vulnerable to Cross-site Scripting
GHSA-xfc5-hp99-89qr
The team sync HTTP API in Grafana Enterprise 7.4.x before 7.4.5 has an Incorrect Access Control issue. On Grafana instances using an external authentication service, this vulnerability allows any authenticated user to add external groups to existing teams. This can be used to grant a user team permissions that the user isn't supposed to have.
GHSA-x744-mm8v-vpgr
Grafana Data source and plugin proxy endpoints could leak the authentication cookie to some destination plugins
GHSA-x5fh-fvvr-892f
Grafana XSS Vulnerability
GHSA-x2w4-c67p-g44j
Grafana Missing Synchronization vulnerability
GHSA-vqc4-mpj8-jxch
Grafana Race condition allowing privilege escalation
GHSA-vq62-87gp-hrvv
Grafana 8.4.3 allows reading files via (for example) a /dashboard/snapshot/%7B%7Bconstructor.constructor'/.. /.. /.. /.. /.. /.. /.. /.. /etc/passwd URI.
GHSA-vfhw-75mr-pg52
An issue was discovered in Grafana 5.4.0. Passwords for data sources used by Grafana (e.g., MySQL) are not encrypted. An admin user can reveal passwords for any data source by pressing the "Save and test" button within a data source's settings menu. When watching the transaction with Burp Proxy, the password for the data source is revealed and sent to the server. From a browser, a prompt to save the credentials is generated, and the password can be revealed by simply checking the "Show password" box.
GHSA-qrrg-gw7w-vp76
Grafana Stored Cross-site Scripting in Graphite FunctionDescription tooltip
GHSA-qhvm-m99m-qq44
One of the usage insights HTTP API endpoints in Grafana Enterprise 6.x before 6.7.6, 7.x before 7.3.10, and 7.4.x before 7.4.5 is accessible without any authentication. This allows any unauthenticated user to send an unlimited number of requests to the endpoint, leading to a denial of service (DoS) attack against a Grafana Enterprise instance.
GHSA-q99m-qcv4-fpm7
Grafana Command Injection And Local File Inclusion Via Sql Expressions
GHSA-q8jm-f67m-5xxq
** DISPUTED ** Grafana 8.4.3 allows unauthenticated access via (for example) a /dashboard/snapshot/*?orgId=0 URI. NOTE: the vendor considers this a UI bug, not a vulnerability.
GHSA-p978-56hq-r492
Grafana folders admin only permission privilege escalation
GHSA-mvpr-q6rh-8vrp
Grafana XSS via a query alias for the ElasticSearch datasource
GHSA-mpwp-42x6-4wmx
Grafana Fine-grained access control vulnerability
GHSA-mpv3-g8m3-3fjc
Grafana vulnerable to Authentication Bypass by Spoofing
GHSA-m25m-5778-fm22
Grafana world readable configuration files
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано | |
|---|---|---|---|---|
 | RLSA-2023:4030 Critical: grafana security update | 1% Низкий | почти 2 года назад | |
| RLSA-2022:1781 Low: grafana security, bug fix, and enhancement update | 7% Низкий | около 3 лет назад | |
| RLSA-2021:3771 Important: grafana security update | 94% Критический | больше 3 лет назад | |
| GHSA-xw5p-hw8j-xg4q Grafana vulnerable to Cross-site Scripting | CVSS3: 5.4 | 34% Средний | больше 2 лет назад |
| GHSA-xfc5-hp99-89qr The team sync HTTP API in Grafana Enterprise 7.4.x before 7.4.5 has an Incorrect Access Control issue. On Grafana instances using an external authentication service, this vulnerability allows any authenticated user to add external groups to existing teams. This can be used to grant a user team permissions that the user isn't supposed to have. | 0% Низкий | около 3 лет назад | |
| GHSA-x744-mm8v-vpgr Grafana Data source and plugin proxy endpoints could leak the authentication cookie to some destination plugins | CVSS3: 6.8 | 0% Низкий | около 1 года назад |
| GHSA-x5fh-fvvr-892f Grafana XSS Vulnerability | CVSS3: 5.4 | 0% Низкий | около 3 лет назад |
| GHSA-x2w4-c67p-g44j Grafana Missing Synchronization vulnerability | CVSS3: 7.5 | 0% Низкий | около 2 лет назад |
| GHSA-vqc4-mpj8-jxch Grafana Race condition allowing privilege escalation | CVSS3: 9.8 | 4% Низкий | около 1 года назад |
| GHSA-vq62-87gp-hrvv Grafana 8.4.3 allows reading files via (for example) a /dashboard/snapshot/%7B%7Bconstructor.constructor'/.. /.. /.. /.. /.. /.. /.. /.. /etc/passwd URI. | CVSS3: 7.5 | 59% Средний | около 3 лет назад |
| GHSA-vfhw-75mr-pg52 An issue was discovered in Grafana 5.4.0. Passwords for data sources used by Grafana (e.g., MySQL) are not encrypted. An admin user can reveal passwords for any data source by pressing the "Save and test" button within a data source's settings menu. When watching the transaction with Burp Proxy, the password for the data source is revealed and sent to the server. From a browser, a prompt to save the credentials is generated, and the password can be revealed by simply checking the "Show password" box. | CVSS3: 4.9 | 0% Низкий | около 3 лет назад |
| GHSA-qrrg-gw7w-vp76 Grafana Stored Cross-site Scripting in Graphite FunctionDescription tooltip | CVSS3: 6.2 | 1% Низкий | около 2 лет назад |
| GHSA-qhvm-m99m-qq44 One of the usage insights HTTP API endpoints in Grafana Enterprise 6.x before 6.7.6, 7.x before 7.3.10, and 7.4.x before 7.4.5 is accessible without any authentication. This allows any unauthenticated user to send an unlimited number of requests to the endpoint, leading to a denial of service (DoS) attack against a Grafana Enterprise instance. | CVSS3: 7.5 | 4% Низкий | около 3 лет назад |
| GHSA-q99m-qcv4-fpm7 Grafana Command Injection And Local File Inclusion Via Sql Expressions | CVSS3: 9.9 | 92% Критический | 8 месяцев назад |
| GHSA-q8jm-f67m-5xxq ** DISPUTED ** Grafana 8.4.3 allows unauthenticated access via (for example) a /dashboard/snapshot/*?orgId=0 URI. NOTE: the vendor considers this a UI bug, not a vulnerability. | CVSS3: 7.5 | 11% Средний | около 3 лет назад |
| GHSA-p978-56hq-r492 Grafana folders admin only permission privilege escalation | CVSS3: 7.6 | 0% Низкий | около 1 года назад |
| GHSA-mvpr-q6rh-8vrp Grafana XSS via a query alias for the ElasticSearch datasource | CVSS3: 6.1 | 1% Низкий | около 3 лет назад |
| GHSA-mpwp-42x6-4wmx Grafana Fine-grained access control vulnerability | CVSS3: 9.1 | 1% Низкий | около 1 года назад |
| GHSA-mpv3-g8m3-3fjc Grafana vulnerable to Authentication Bypass by Spoofing | CVSS3: 9.4 | 1% Низкий | почти 2 года назад |
| GHSA-m25m-5778-fm22 Grafana world readable configuration files | CVSS3: 5.5 | 0% Низкий | около 3 лет назад |
Уязвимостей на страницу