CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2022-31130 – Grafana data source and plugin proxy endpoints leaking authentication tokens to some destination plugins
https://notcve.org/view.php?id=CVE-2022-31130
13 Oct 2022 — Grafana is an open source observability and data visualization platform. Versions of Grafana for endpoints prior to 9.1.8 and 8.5.14 could leak authentication tokens to some destination plugins under some conditions. The vulnerability impacts data source and plugin proxy endpoints with authentication tokens. The destination plugin could receive a user's Grafana authentication token. Versions 9.1.8 and 8.5.14 contain a patch for this issue. • https://github.com/grafana/grafana/commit/4dd56e4dabce10007bf4ba1059bf54178c35b177 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-522: Insufficiently Protected Credentials •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2022-31123 – Grafana plugin signature bypass vulnerability
https://notcve.org/view.php?id=CVE-2022-31123
13 Oct 2022 — Grafana is an open source observability and data visualization platform. Versions prior to 9.1.8 and 8.5.14 are vulnerable to a bypass in the plugin signature verification. An attacker can convince a server admin to download and successfully run a malicious plugin even though unsigned plugins are not allowed. Versions 9.1.8 and 8.5.14 contain a patch for this issue. As a workaround, do not install plugins downloaded from untrusted sources. • https://github.com/grafana/grafana/releases/tag/v9.1.8 • CWE-347: Improper Verification of Cryptographic Signature •
CVSS: 7.6EPSS: 0%CPEs: 3EXPL: 0CVE-2022-36062 – Grafana folders admin only permission privilege escalation
https://notcve.org/view.php?id=CVE-2022-36062
22 Sep 2022 — Grafana is an open-source platform for monitoring and observability. In versions prior to 8.5.13, 9.0.9, and 9.1.6, Grafana is subject to Improper Preservation of Permissions resulting in privilege escalation on some folders where Admin is the only used permission. The vulnerability impacts Grafana instances where RBAC was disabled and enabled afterwards, as the migrations which are translating legacy folder permissions to RBAC permissions do not account for the scenario where the only user permission in th... • https://github.com/grafana/grafana/security/advisories/GHSA-p978-56hq-r492 • CWE-281: Improper Preservation of Permissions •
CVSS: 6.8EPSS: 0%CPEs: 4EXPL: 0CVE-2022-35957 – Authentication Bypass in Grafana via auth proxy allowing escalation from admin to server admin
https://notcve.org/view.php?id=CVE-2022-35957
20 Sep 2022 — Grafana is an open-source platform for monitoring and observability. Versions prior to 9.1.6 and 8.5.13 are vulnerable to an escalation from admin to server admin when auth proxy is used, allowing an admin to take over the server admin account and gain full control of the grafana instance. All installations should be upgraded as soon as possible. As a workaround deactivate auth proxy following the instructions at: https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authenticat... • https://github.com/grafana/grafana/security/advisories/GHSA-ff5c-938w-8c9q • CWE-288: Authentication Bypass Using an Alternate Path or Channel CWE-290: Authentication Bypass by Spoofing •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2022-31107 – Grafana account takeover via OAuth vulnerability
https://notcve.org/view.php?id=CVE-2022-31107
15 Jul 2022 — Grafana is an open-source platform for monitoring and observability. In versions 5.3 until 9.0.3, 8.5.9, 8.4.10, and 8.3.10, it is possible for a malicious user who has authorization to log into a Grafana instance via a configured OAuth IdP which provides a login name to take over the account of another user in that Grafana instance. This can occur when the malicious user is authorized to log in to Grafana via OAuth, the malicious user's external user id is not already associated with an account in Grafana,... • https://github.com/grafana/grafana/security/advisories/GHSA-mx47-6497-3fv2 • CWE-287: Improper Authentication CWE-863: Incorrect Authorization •
CVSS: 8.7EPSS: 48%CPEs: 5EXPL: 0CVE-2022-31097 – Stored XSS in Grafana's Unified Alerting
https://notcve.org/view.php?id=CVE-2022-31097
15 Jul 2022 — Grafana is an open-source platform for monitoring and observability. Versions on the 8.x and 9.x branch prior to 9.0.3, 8.5.9, 8.4.10, and 8.3.10 are vulnerable to stored cross-site scripting via the Unified Alerting feature of Grafana. An attacker can exploit this vulnerability to escalate privilege from editor to admin by tricking an authenticated admin to click on a link. Versions 9.0.3, 8.5.9, 8.4.10, and 8.3.10 contain a patch. As a workaround, it is possible to disable alerting or use legacy alerting.... • https://github.com/grafana/grafana/security/advisories/GHSA-vw7q-p2qg-4m5f • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.5EPSS: 0%CPEs: 2EXPL: 1CVE-2022-29170 – Grafana Enterprise datasource network restrictions bypass via HTTP redirects
https://notcve.org/view.php?id=CVE-2022-29170
20 May 2022 — Grafana is an open-source platform for monitoring and observability. In Grafana Enterprise, the Request security feature allows list allows to configure Grafana in a way so that the instance doesn’t call or only calls specific hosts. The vulnerability present starting with version 7.4.0-beta1 and prior to versions 7.5.16 and 8.5.3 allows someone to bypass these security configurations if a malicious datasource (running on an allowed host) returns an HTTP redirect to a forbidden host. The vulnerability only ... • https://github.com/yijikeji/CVE-2022-29170 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2022-28660
https://notcve.org/view.php?id=CVE-2022-28660
20 May 2022 — The querier component in Grafana Enterprise Logs 1.1.x through 1.3.x before 1.4.0 does not require authentication when X-Scope-OrgID is used. Versions 1.2.1, 1.3.1, and 1.4.0 contain the bugfix. This affects -auth.type=enterprise in microservices mode El componente querier en Grafana Enterprise Logs versiones 1.1.x hasta 1.3.x anteriores a 1.4.0, no requiere autenticación cuando es usado X-Scope-OrgID. Las versiones 1.2.1, 1.3.1 y 1.4.0, contienen una corrección de errores. Esto afecta a -auth.type=enterpri... • https://grafana.com/docs/enterprise-logs/latest/gel-releases/#v121----may-3-2022 • CWE-306: Missing Authentication for Critical Function •
CVSS: 9.8EPSS: 87%CPEs: 5EXPL: 1CVE-2022-26148 – grafana: An information leak issue was discovered in Grafana through 7.3.4, when integrated with Zabbix
https://notcve.org/view.php?id=CVE-2022-26148
21 Mar 2022 — An issue was discovered in Grafana through 7.3.4, when integrated with Zabbix. The Zabbix password can be found in the api_jsonrpc.php HTML source code. When the user logs in and allows the user to register, one can right click to view the source code and use Ctrl-F to search for password in api_jsonrpc.php to discover the Zabbix account password and URL address. Se ha detectado un problema en Grafana versiones hasta 7.3.4, cuando es integrado con Zabbix. La contraseña de Zabbix puede encontrarse en el códi... • https://2k8.org/post-319.html • CWE-312: Cleartext Storage of Sensitive Information •
CVSS: 4.3EPSS: 0%CPEs: 11EXPL: 0CVE-2022-21713 – Exposure of Sensitive Information in Grafana
https://notcve.org/view.php?id=CVE-2022-21713
08 Feb 2022 — Grafana is an open-source platform for monitoring and observability. Affected versions of Grafana expose multiple API endpoints which do not properly handle user authorization. `/teams/:teamId` will allow an authenticated attacker to view unintended data by querying for the specific team ID, `/teams/:search` will allow an authenticated attacker to search for teams and see the total number of available teams, including for those teams that the user does not have access to, and `/teams/:teamId/members` when e... • https://github.com/grafana/grafana/pull/45083 • CWE-425: Direct Request ('Forced Browsing') CWE-639: Authorization Bypass Through User-Controlled Key CWE-863: Incorrect Authorization •