ALT-PU-2020-2204-2

BDU:2020-03230

MEDIUM6.1

Уязвимость компонентов column.title и cellLinkTooltip веб-инструмента представления данных Grafana, позволяющая нарушителю осуществлять межсайтовые сценарные атаки (XSS)

Published: 2020-07-09

CVSS 3.xMEDIUM 6.1

CVSS:3.x/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS 2.0MEDIUM 6.4

CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:N

References

CVE-2020-12245

CVE-2019-19499

MEDIUM6.5

Grafana <= 6.4.3 has an Arbitrary File Read vulnerability, which could be exploited by an authenticated attacker that has privileges to modify the data source configurations.

Published: 2020-08-28Modified: 2024-11-21

CVSS 2.0MEDIUM 4.0

CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS 3.xMEDIUM 6.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References

CVE-2020-11110

MEDIUM5.4

Grafana through 6.7.1 allows stored XSS due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot.

Published: 2020-07-27Modified: 2024-11-21

CVSS 2.0LOW 3.5

CVSS:2.0/AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS 3.xMEDIUM 5.4

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References

CVE-2020-12052

MEDIUM6.1

Grafana version < 6.7.3 is vulnerable for annotation popup XSS.

Published: 2020-04-27Modified: 2024-11-21

CVSS 2.0MEDIUM 4.3

CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS 3.xMEDIUM 6.1

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References

CVE-2020-12245

MEDIUM6.1

Grafana before 6.7.3 allows table-panel XSS via column.title or cellLinkTooltip.

Published: 2020-04-24Modified: 2024-11-21

CVSS 2.0MEDIUM 4.3

CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS 3.xMEDIUM 6.1

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References

CVE-2020-12458

MEDIUM5.5

An information-disclosure flaw was found in Grafana through 6.7.3. The database directory /var/lib/grafana and database file /var/lib/grafana/grafana.db are world readable. This can result in exposure of sensitive information (e.g., cleartext or encrypted datasource passwords).

Published: 2020-04-29Modified: 2024-11-21

CVSS 2.0LOW 2.1

CVSS:2.0/AV:L/AC:L/Au:N/C:P/I:N/A:N

CVSS 3.xMEDIUM 5.5

CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References

CVE-2020-12459

MEDIUM5.5

In certain Red Hat packages for Grafana 6.x through 6.3.6, the configuration files /etc/grafana/grafana.ini and /etc/grafana/ldap.toml (which contain a secret_key and a bind_password) are world readable.

Published: 2020-04-29Modified: 2024-11-21

CVSS 2.0LOW 2.1

CVSS:2.0/AV:L/AC:L/Au:N/C:P/I:N/A:N

CVSS 3.xMEDIUM 5.5

CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References

CVE-2020-13430

MEDIUM6.1

Grafana before 7.0.0 allows tag value XSS via the OpenTSDB datasource.

Published: 2020-05-24Modified: 2024-11-21

CVSS 2.0MEDIUM 4.3

CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS 3.xMEDIUM 6.1

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References

GHSA-3jq7-8ph8-63xm

HIGH7.1

Grafana information disclosure

Published: 2022-05-24Modified: 2024-11-18

CVSS 3.xHIGH 7.1

CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS 4.0HIGH 7.1

CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

References

GHSA-4pwp-cx67-5cpx

MEDIUM5.7

Grafana Arbitrary File Read

Published: 2024-02-01Modified: 2024-09-16

CVSS 3.xMEDIUM 5.7

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P

CVSS 4.0MEDIUM 5.7

CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P

References

GHSA-7m2x-qhrq-rp8h

MEDIUM5.1

Grafana XSS via the OpenTSDB datasource

Published: 2022-05-24Modified: 2024-07-08

CVSS 3.xMEDIUM 5.1

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS 4.0MEDIUM 5.1

CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

References

GHSA-ccmg-w4xm-p28v

MEDIUM5.3

Grafana XSS in header column rename

Published: 2022-05-24Modified: 2024-07-08

CVSS 3.xMEDIUM 5.3

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS 4.0MEDIUM 5.3

CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

References

GHSA-m25m-5778-fm22

HIGH7.1

Grafana world readable configuration files

Published: 2022-05-24Modified: 2026-01-17

CVSS 3.xHIGH 7.1

CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS 4.0HIGH 7.1

CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

References

GHSA-xr3x-62qw-vc4w

MEDIUM5.1

Grafana stored XSS

Published: 2022-05-24Modified: 2024-07-08

CVSS 3.xMEDIUM 5.1

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVSS 4.0MEDIUM 5.1

CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

References

Package update grafana in branch p9

Closed issues (14)

Уязвимость компонентов column.title и cellLinkTooltip веб-инструмента представления данных Grafana, позволяющая нарушителю осуществлять межсайтовые сценарные атаки (XSS)

Grafana <= 6.4.3 has an Arbitrary File Read vulnerability, which could be exploited by an authenticated attacker that has privileges to modify the data source configurations.

Grafana through 6.7.1 allows stored XSS due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot.

Grafana version < 6.7.3 is vulnerable for annotation popup XSS.

Grafana before 6.7.3 allows table-panel XSS via column.title or cellLinkTooltip.

An information-disclosure flaw was found in Grafana through 6.7.3. The database directory /var/lib/grafana and database file /var/lib/grafana/grafana.db are world readable. This can result in exposure of sensitive information (e.g., cleartext or encrypted datasource passwords).

In certain Red Hat packages for Grafana 6.x through 6.3.6, the configuration files /etc/grafana/grafana.ini and /etc/grafana/ldap.toml (which contain a secret_key and a bind_password) are world readable.

Grafana before 7.0.0 allows tag value XSS via the OpenTSDB datasource.

Grafana information disclosure

Grafana Arbitrary File Read

Grafana XSS via the OpenTSDB datasource

Grafana XSS in header column rename

Grafana world readable configuration files

Grafana stored XSS