Page 4 of 37 results (0.003 seconds)

CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0

Grafana is an open source observability and data visualization platform. Versions of Grafana for endpoints prior to 9.1.8 and 8.5.14 could leak authentication tokens to some destination plugins under some conditions. The vulnerability impacts data source and plugin proxy endpoints with authentication tokens. The destination plugin could receive a user's Grafana authentication token. Versions 9.1.8 and 8.5.14 contain a patch for this issue. • https://github.com/grafana/grafana/commit/4dd56e4dabce10007bf4ba1059bf54178c35b177 https://github.com/grafana/grafana/commit/9da278c044ba605eb5a1886c48df9a2cb0d3885f https://github.com/grafana/grafana/releases/tag/v9.1.8 https://github.com/grafana/grafana/security/advisories/GHSA-jv32-5578-pxjc https://access.redhat.com/security/cve/CVE-2022-31130 https://bugzilla.redhat.com/show_bug.cgi?id=2131146 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-522: Insufficiently Protected Credentials •

CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0

Grafana is an open source data visualization platform for metrics, logs, and traces. Versions prior to 9.1.8 and 8.5.14 allow one user to block another user's login attempt by registering someone else'e email address as a username. A Grafana user’s username and email address are unique fields, that means no other user can have the same username or email address as another user. A user can have an email address as a username. However, the login system allows users to log in with either username or email address. • https://github.com/grafana/grafana/commit/5644758f0c5ae9955a4e5480d71f9bef57fdce35 https://github.com/grafana/grafana/releases/tag/v9.1.8 https://github.com/grafana/grafana/security/advisories/GHSA-gj7m-853r-289r https://access.redhat.com/security/cve/CVE-2022-39229 https://bugzilla.redhat.com/show_bug.cgi?id=2131149 • CWE-287: Improper Authentication •

CVSS: 7.5EPSS: 0%CPEs: 8EXPL: 0

Grafana is an open source observability and data visualization platform. Starting with version 5.0.0-beta1 and prior to versions 8.5.14 and 9.1.8, Grafana could leak the authentication cookie of users to plugins. The vulnerability impacts data source and plugin proxy endpoints under certain conditions. The destination plugin could receive a user's Grafana authentication cookie. Versions 9.1.8 and 8.5.14 contain a patch for this issue. • https://github.com/grafana/grafana/commit/b571acc1dc130a33f24742c1f93b93216da6cf57 https://github.com/grafana/grafana/commit/c658816f5229d17f877579250c07799d3bbaebc9 https://github.com/grafana/grafana/releases/tag/v9.1.8 https://github.com/grafana/grafana/security/advisories/GHSA-x744-mm8v-vpgr https://access.redhat.com/security/cve/CVE-2022-39201 https://bugzilla.redhat.com/show_bug.cgi?id=2131148 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0

Grafana is an open source observability and data visualization platform. Versions prior to 9.1.8 and 8.5.14 are vulnerable to a bypass in the plugin signature verification. An attacker can convince a server admin to download and successfully run a malicious plugin even though unsigned plugins are not allowed. Versions 9.1.8 and 8.5.14 contain a patch for this issue. As a workaround, do not install plugins downloaded from untrusted sources. • https://github.com/grafana/grafana/releases/tag/v9.1.8 https://github.com/grafana/grafana/security/advisories/GHSA-rhxj-gh46-jvw8 https://security.netapp.com/advisory/ntap-20221124-0002 https://access.redhat.com/security/cve/CVE-2022-31123 https://bugzilla.redhat.com/show_bug.cgi?id=2131147 • CWE-347: Improper Verification of Cryptographic Signature •

CVSS: 7.6EPSS: 0%CPEs: 3EXPL: 0

Grafana is an open-source platform for monitoring and observability. In versions prior to 8.5.13, 9.0.9, and 9.1.6, Grafana is subject to Improper Preservation of Permissions resulting in privilege escalation on some folders where Admin is the only used permission. The vulnerability impacts Grafana instances where RBAC was disabled and enabled afterwards, as the migrations which are translating legacy folder permissions to RBAC permissions do not account for the scenario where the only user permission in the folder is Admin, as a result RBAC adds permissions for Editors and Viewers which allow them to edit and view folders accordingly. This issue has been patched in versions 8.5.13, 9.0.9, and 9.1.6. A workaround when the impacted folder/dashboard is known is to remove the additional permissions manually. • https://github.com/grafana/grafana/security/advisories/GHSA-p978-56hq-r492 https://security.netapp.com/advisory/ntap-20221215-0001 • CWE-281: Improper Preservation of Permissions •