Все бюллетени/sisyphus/ALT-PU-2022-3295-4
ALT-PU-2022-3295-4

Обновление пакета grafana в ветке sisyphus

Версия9.3.1-alt1
Задание#311333
Опубликовано2026-04-03
Макс. серьёзностьCRITICAL
Серьёзность:

Закрытые проблемы (42)

BDU:2022-05544
CRITICAL9.8

Уязвимость пакета net/http языка программирования Go, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации

Опубликовано: 2022-09-07Изменено: 2023-11-21
CVSS 3.xКРИТИЧЕСКАЯ 9.8
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 2.0КРИТИЧЕСКАЯ 10.0
CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:C
Ссылки
BDU:2022-07077
HIGH8.7

Уязвимость компонентов column.title и cellLinkTooltip веб-инструмента представления данных Grafana, позволяющая нарушителю повысить свои привилегии

Опубликовано: 2022-12-02Изменено: 2024-04-04
CVSS 3.xВЫСОКАЯ 8.7
CVSS:3.x/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
CVSS 2.0ВЫСОКАЯ 8.5
CVSS:2.0/AV:N/AC:L/Au:S/C:C/I:C/A:N
Ссылки
BDU:2023-05841
HIGH7.5

Уязвимость компонента golang.org/x/text/language библиотеки для языка программирования Go text, позволяющая нарушителю вызывать отказ в обслуживании

Опубликовано: 2023-09-19Изменено: 2024-08-26
CVSS 3.xВЫСОКАЯ 7.5
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 2.0ВЫСОКАЯ 7.8
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C
Ссылки
BDU:2024-02573
HIGH7.5

Уязвимость платформы для мониторинга и наблюдения Grafana, связанная с неправильной авторизацией, позволяющая нарушителю повысить свои привилегии

Опубликовано: 2024-04-04
CVSS 3.xВЫСОКАЯ 7.5
CVSS:3.x/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS 2.0ВЫСОКАЯ 7.1
CVSS:2.0/AV:N/AC:H/Au:S/C:C/I:C/A:C
Ссылки
BDU:2024-02598
HIGH8.5

Уязвимость платформы для мониторинга и наблюдения Grafana, связанная с перенаправлением URL-адреса на ненадежный сайт, позволяющая нарушителю перенаправить пользователя на произвольный сайт

Опубликовано: 2024-04-04
CVSS 3.xВЫСОКАЯ 8.5
CVSS:3.x/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
CVSS 2.0ВЫСОКАЯ 7.5
CVSS:2.0/AV:N/AC:L/Au:S/C:C/I:P/A:N
Ссылки
BDU:2024-02614
LOW3.5

Уязвимость платформы для мониторинга и наблюдения Grafana, связанная с неправильной нейтрализацией ввода во время создания веб-страницы, позволяющая нарушителю внедрять введенный URL-адреса

Опубликовано: 2024-04-05
CVSS 3.xНИЗКАЯ 3.5
CVSS:3.x/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
CVSS 2.0СРЕДНЯЯ 4.0
CVSS:2.0/AV:N/AC:L/Au:S/C:N/I:P/A:N
Ссылки
BDU:2024-02616
MEDIUM5.3

Уязвимость платформы для мониторинга и наблюдения Grafana, связанная с раскрытием конфиденциальной информации несанкционированному субъекту, позволяющая нарушителю получить доступ к конфиденциальным данным

Опубликовано: 2024-04-05Изменено: 2026-03-19
CVSS 3.xСРЕДНЯЯ 5.3
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVSS 2.0СРЕДНЯЯ 5.0
CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N
Ссылки
BDU:2024-02617
HIGH8.1

Уязвимость платформы для мониторинга и наблюдения Grafana, связанная с неправильной проверка ввода, позволяющая нарушителю обойти существующие ограничения безопасности

Опубликовано: 2024-04-05
CVSS 3.xВЫСОКАЯ 8.1
CVSS:3.x/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
CVSS 2.0КРИТИЧЕСКАЯ 9.4
CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:N
Ссылки
BDU:2024-02618
MEDIUM4.3

Уязвимость платформы для мониторинга и наблюдения Grafana, связанная с неправильной аутентификацией, позволяющая нарушителю блокировать попытки входа в систему

Опубликовано: 2024-04-05
CVSS 3.xСРЕДНЯЯ 4.3
CVSS:3.x/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
CVSS 2.0СРЕДНЯЯ 4.0
CVSS:2.0/AV:N/AC:L/Au:S/C:N/I:N/A:P
Ссылки
BDU:2024-02619
HIGH8.2

Уязвимость платформы для мониторинга и наблюдения Grafana, связанная с раскрытием конфиденциальной информации несанкционированному субъекту, позволяющая нарушителю раскрыть защищаемую информацию

Опубликовано: 2024-04-05
CVSS 3.xВЫСОКАЯ 8.2
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L
CVSS 2.0ВЫСОКАЯ 7.8
CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:N/A:N
Ссылки
BDU:2024-02620
HIGH7.5

Уязвимость платформы для мониторинга и наблюдения Grafana, связанная с раскрытием конфиденциальной информации несанкционированному субъекту, позволяющая нарушителю раскрыть защищаемую информацию

Опубликовано: 2024-04-05
CVSS 3.xВЫСОКАЯ 7.5
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS 2.0ВЫСОКАЯ 7.8
CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:N/A:N
Ссылки
BDU:2024-02621
HIGH7.8

Уязвимость платформы для мониторинга и наблюдения Grafana, связанная с неправильной проверкой криптографической подписи, позволяющая нарушителю установить вредоносное программное обеспечение на уязвимое устройство

Опубликовано: 2024-04-05
CVSS 3.xВЫСОКАЯ 7.8
CVSS:3.x/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS 2.0ВЫСОКАЯ 7.2
CVSS:2.0/AV:L/AC:L/Au:N/C:C/I:C/A:C
Ссылки
BDU:2024-02622
MEDIUM6.6

Уязвимость платформы для мониторинга и наблюдения Grafana, связанная с обходом аутентификации путем спуфинга, позволяющая нарушителю получить несанкционированный доступ к информации и нарушить ее целостность и доступность

Опубликовано: 2024-04-05
CVSS 3.xСРЕДНЯЯ 6.6
CVSS:3.x/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
CVSS 2.0СРЕДНЯЯ 6.8
CVSS:2.0/AV:N/AC:H/Au:M/C:C/I:C/A:C
Ссылки
CVE-2022-27664
HIGH7.5

In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.

Опубликовано: 2022-09-06Изменено: 2024-11-21
CVSS 3.xВЫСОКАЯ 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Ссылки
CVE-2022-29170
HIGH8.5

Grafana is an open-source platform for monitoring and observability. In Grafana Enterprise, the Request security feature allows list allows to configure Grafana in a way so that the instance doesn’t call or only calls specific hosts. The vulnerability present starting with version 7.4.0-beta1 and prior to versions 7.5.16 and 8.5.3 allows someone to bypass these security configurations if a malicious datasource (running on an allowed host) returns an HTTP redirect to a forbidden host. The vulnerability only impacts Grafana Enterprise when the Request security allow list is used and there is a possibility to add a custom datasource to Grafana which returns HTTP redirects. In this scenario, Grafana would blindly follow the redirects and potentially give secure information to the clients. Grafana Cloud is not impacted by this vulnerability. Versions 7.5.16 and 8.5.3 contain a patch for this issue. There are currently no known workarounds.

Опубликовано: 2022-05-20Изменено: 2024-11-21
CVSS 2.0СРЕДНЯЯ 4.9
CVSS:2.0/AV:N/AC:M/Au:S/C:P/I:P/A:N
CVSS 3.xВЫСОКАЯ 8.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Ссылки
CVE-2022-31097
HIGH8.7

Grafana is an open-source platform for monitoring and observability. Versions on the 8.x and 9.x branch prior to 9.0.3, 8.5.9, 8.4.10, and 8.3.10 are vulnerable to stored cross-site scripting via the Unified Alerting feature of Grafana. An attacker can exploit this vulnerability to escalate privilege from editor to admin by tricking an authenticated admin to click on a link. Versions 9.0.3, 8.5.9, 8.4.10, and 8.3.10 contain a patch. As a workaround, it is possible to disable alerting or use legacy alerting.

Опубликовано: 2022-07-15Изменено: 2024-11-21
CVSS 3.xВЫСОКАЯ 8.7
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Ссылки
CVE-2022-31107
HIGH7.5

Grafana is an open-source platform for monitoring and observability. In versions 5.3 until 9.0.3, 8.5.9, 8.4.10, and 8.3.10, it is possible for a malicious user who has authorization to log into a Grafana instance via a configured OAuth IdP which provides a login name to take over the account of another user in that Grafana instance. This can occur when the malicious user is authorized to log in to Grafana via OAuth, the malicious user's external user id is not already associated with an account in Grafana, the malicious user's email address is not already associated with an account in Grafana, and the malicious user knows the Grafana username of the target user. If these conditions are met, the malicious user can set their username in the OAuth provider to that of the target user, then go through the OAuth flow to log in to Grafana. Due to the way that external and internal user accounts are linked together during login, if the conditions above are all met then the malicious user will be able to log in to the target user's Grafana account. Versions 9.0.3, 8.5.9, 8.4.10, and 8.3.10 contain a patch for this issue. As a workaround, concerned users can disable OAuth login to their Grafana instance, or ensure that all users authorized to log in via OAuth have a corresponding user account in Grafana linked to their email address.

Опубликовано: 2022-07-15Изменено: 2024-11-21
CVSS 3.xВЫСОКАЯ 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Ссылки
CVE-2022-31123
HIGH7.8

Grafana is an open source observability and data visualization platform. Versions prior to 9.1.8 and 8.5.14 are vulnerable to a bypass in the plugin signature verification. An attacker can convince a server admin to download and successfully run a malicious plugin even though unsigned plugins are not allowed. Versions 9.1.8 and 8.5.14 contain a patch for this issue. As a workaround, do not install plugins downloaded from untrusted sources.

Опубликовано: 2022-10-13Изменено: 2024-11-21
CVSS 3.xВЫСОКАЯ 7.8
CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Ссылки
CVE-2022-31130
HIGH7.5

Grafana is an open source observability and data visualization platform. Versions of Grafana for endpoints prior to 9.1.8 and 8.5.14 could leak authentication tokens to some destination plugins under some conditions. The vulnerability impacts data source and plugin proxy endpoints with authentication tokens. The destination plugin could receive a user's Grafana authentication token. Versions 9.1.8 and 8.5.14 contain a patch for this issue. As a workaround, do not use API keys, JWT authentication, or any HTTP Header based authentication.

Опубликовано: 2022-10-13Изменено: 2024-11-21
CVSS 3.xВЫСОКАЯ 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Ссылки
CVE-2022-32149
HIGH7.5

An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.

Опубликовано: 2022-10-14Изменено: 2025-05-15
CVSS 3.xВЫСОКАЯ 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Ссылки
CVE-2022-35957
MEDIUM6.6

Grafana is an open-source platform for monitoring and observability. Versions prior to 9.1.6 and 8.5.13 are vulnerable to an escalation from admin to server admin when auth proxy is used, allowing an admin to take over the server admin account and gain full control of the grafana instance. All installations should be upgraded as soon as possible. As a workaround deactivate auth proxy following the instructions at: https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/auth-proxy/

Опубликовано: 2022-09-20Изменено: 2024-11-21
CVSS 3.xСРЕДНЯЯ 6.6
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Ссылки
CVE-2022-36062
LOW3.8

Grafana is an open-source platform for monitoring and observability. In versions prior to 8.5.13, 9.0.9, and 9.1.6, Grafana is subject to Improper Preservation of Permissions resulting in privilege escalation on some folders where Admin is the only used permission. The vulnerability impacts Grafana instances where RBAC was disabled and enabled afterwards, as the migrations which are translating legacy folder permissions to RBAC permissions do not account for the scenario where the only user permission in the folder is Admin, as a result RBAC adds permissions for Editors and Viewers which allow them to edit and view folders accordingly. This issue has been patched in versions 8.5.13, 9.0.9, and 9.1.6. A workaround when the impacted folder/dashboard is known is to remove the additional permissions manually.

Опубликовано: 2022-09-22Изменено: 2024-11-21
CVSS 3.xНИЗКАЯ 3.8
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
Ссылки
CVE-2022-39201
HIGH7.5

Grafana is an open source observability and data visualization platform. Starting with version 5.0.0-beta1 and prior to versions 8.5.14 and 9.1.8, Grafana could leak the authentication cookie of users to plugins. The vulnerability impacts data source and plugin proxy endpoints under certain conditions. The destination plugin could receive a user's Grafana authentication cookie. Versions 9.1.8 and 8.5.14 contain a patch for this issue. There are no known workarounds.

Опубликовано: 2022-10-13Изменено: 2024-11-21
CVSS 3.xВЫСОКАЯ 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Ссылки
CVE-2022-39229
MEDIUM4.3

Grafana is an open source data visualization platform for metrics, logs, and traces. Versions prior to 9.1.8 and 8.5.14 allow one user to block another user's login attempt by registering someone else'e email address as a username. A Grafana user’s username and email address are unique fields, that means no other user can have the same username or email address as another user. A user can have an email address as a username. However, the login system allows users to log in with either username or email address. Since Grafana allows a user to log in with either their username or email address, this creates an usual behavior where `user_1` can register with one email address and `user_2` can register their username as `user_1`’s email address. This prevents `user_1` logging into the application since `user_1`'s password won’t match with `user_2`'s email address. Versions 9.1.8 and 8.5.14 contain a patch. There are no workarounds for this issue.

Опубликовано: 2022-10-13Изменено: 2024-11-21
CVSS 3.xСРЕДНЯЯ 4.3
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Ссылки
CVE-2022-39306
HIGH8.1

Grafana is an open-source platform for monitoring and observability. Versions prior to 9.2.4, or 8.5.15 on the 8.X branch, are subject to Improper Input Validation. Grafana admins can invite other members to the organization they are an admin for. When admins add members to the organization, non existing users get an email invite, existing members are added directly to the organization. When an invite link is sent, it allows users to sign up with whatever username/email address the user chooses and become a member of the organization. This introduces a vulnerability which can be used with malicious intent. This issue is patched in version 9.2.4, and has been backported to 8.5.15. There are no known workarounds.

Опубликовано: 2022-11-09Изменено: 2024-11-21
CVSS 3.xВЫСОКАЯ 8.1
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Ссылки
CVE-2022-39307
MEDIUM5.3

Grafana is an open-source platform for monitoring and observability. When using the forget password on the login page, a POST request is made to the `/api/user/password/sent-reset-email` URL. When the username or email does not exist, a JSON response contains a “user not found” message. This leaks information to unauthenticated users and introduces a security risk. This issue has been patched in 9.2.4 and backported to 8.5.15. There are no known workarounds.

Опубликовано: 2022-11-09Изменено: 2024-11-21
CVSS 3.xСРЕДНЯЯ 5.3
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Ссылки
CVE-2022-39324
LOW3.5

Grafana is an open-source platform for monitoring and observability. Prior to versions 8.5.16 and 9.2.8, malicious user can create a snapshot and arbitrarily choose the `originalUrl` parameter by editing the query, thanks to a web proxy. When another user opens the URL of the snapshot, they will be presented with the regular web interface delivered by the trusted Grafana server. The `Open original dashboard` button no longer points to the to the real original dashboard but to the attacker’s injected URL. This issue is fixed in versions 8.5.16 and 9.2.8.

Опубликовано: 2023-01-27Изменено: 2024-11-21
CVSS 3.xНИЗКАЯ 3.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
Ссылки
CVE-2026-27877
HIGH7.5

When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards. No passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as possible to improve your deployments' security.

Опубликовано: 2026-03-27Изменено: 2026-03-31
CVSS 3.xВЫСОКАЯ 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Ссылки
GHSA-2x6g-h2hg-rq84
HIGH7.2

Grafana Email addresses and usernames can not be trusted

Опубликовано: 2024-05-15Изменено: 2024-11-18
CVSS 3.xВЫСОКАЯ 7.2
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
CVSS 4.0ВЫСОКАЯ 7.2
CVSS:4.0/CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Ссылки
GHSA-3p62-42x7-gxg5
HIGH7.3

Grafana User enumeration via forget password

Опубликовано: 2024-05-15Изменено: 2024-11-18
CVSS 3.xВЫСОКАЯ 7.3
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L
CVSS 4.0ВЫСОКАЯ 7.3
CVSS:4.0/CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
Ссылки
GHSA-4724-7jwc-3fpw
MEDIUM5.3

Grafana Spoofing originalUrl of snapshots

Опубликовано: 2024-05-15Изменено: 2024-07-08
CVSS 3.xСРЕДНЯЯ 5.3
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L
CVSS 4.0СРЕДНЯЯ 5.3
CVSS:4.0/CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:L
Ссылки
GHSA-69cg-p879-7622
HIGH7.5

golang.org/x/net/http2 Denial of Service vulnerability

Опубликовано: 2022-09-07Изменено: 2024-05-21
CVSS 3.xВЫСОКАЯ 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Ссылки
GHSA-69ch-w2m2-3vjp
HIGH7.5

golang.org/x/text/language Denial of service via crafted Accept-Language header

Опубликовано: 2022-10-14Изменено: 2025-05-16
CVSS 3.xВЫСОКАЯ 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Ссылки
GHSA-ff5c-938w-8c9q
HIGH7.5

Grafana Escalation from admin to server admin when auth proxy is used

Опубликовано: 2024-05-15Изменено: 2024-11-18
CVSS 3.xВЫСОКАЯ 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
CVSS 4.0ВЫСОКАЯ 7.5
CVSS:4.0/CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Ссылки
GHSA-gj7m-853r-289r
MEDIUM5.1

Grafana when using email as a username can block other users from signing in

Опубликовано: 2024-05-15Изменено: 2024-07-08
CVSS 3.xСРЕДНЯЯ 5.1
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
CVSS 4.0СРЕДНЯЯ 5.1
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
Ссылки
GHSA-jv32-5578-pxjc
MEDIUM6.9

Grafana Data source and plugin proxy endpoints leaking authentication tokens to some destination plugins

Опубликовано: 2024-05-15Изменено: 2024-07-08
CVSS 3.x
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
CVSS 4.0
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Ссылки
GHSA-mx47-6497-3fv2
HIGH7.6

Grafana account takeover via OAuth vulnerability

Опубликовано: 2024-05-15Изменено: 2026-01-17
CVSS 3.xВЫСОКАЯ 7.6
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L
CVSS 4.0ВЫСОКАЯ 7.6
CVSS:4.0/CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
Ссылки
GHSA-p978-56hq-r492
HIGH7.2

Grafana folders admin only permission privilege escalation

Опубликовано: 2024-05-15Изменено: 2024-07-08
CVSS 3.xВЫСОКАЯ 7.2
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
CVSS 4.0ВЫСОКАЯ 7.2
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N
Ссылки
GHSA-rhxj-gh46-jvw8
HIGH8.4

Grafana Plugin signature bypass

Опубликовано: 2024-05-15Изменено: 2024-11-18
CVSS 3.xВЫСОКАЯ 8.4
CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L
CVSS 4.0ВЫСОКАЯ 8.4
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
Ссылки
GHSA-vw7q-p2qg-4m5f
MEDIUM6.3

Grafana Stored Cross-site Scripting in Unified Alerting

Опубликовано: 2024-05-15Изменено: 2024-11-18
CVSS 3.xСРЕДНЯЯ 6.3
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
CVSS 4.0СРЕДНЯЯ 6.3
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N
Ссылки
GHSA-x744-mm8v-vpgr
HIGH8.5

Grafana Data source and plugin proxy endpoints could leak the authentication cookie to some destination plugins

Опубликовано: 2024-05-15Изменено: 2024-11-18
CVSS 3.xВЫСОКАЯ 8.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
CVSS 4.0ВЫСОКАЯ 8.5
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Ссылки