CVSS: 4.3EPSS: 0%CPEs: 5EXPL: 0CVE-2024-11741
https://notcve.org/view.php?id=CVE-2024-11741
31 Jan 2025 — Grafana is an open-source platform for monitoring and observability. The Grafana Alerting VictorOps integration was not properly protected and could be exposed to users with Viewer permission. Fixed in versions 11.5.0, 11.4.1, 11.3.3, 11.2.6, 11.1.11, 11.0.11 and 10.4.15 • https://grafana.com/security/security-advisories/cve-2024-11741 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-9476 – Privilege escalation vulnerability for Organizations in Grafana
https://notcve.org/view.php?id=CVE-2024-9476
13 Nov 2024 — A vulnerability in Grafana Labs Grafana OSS and Enterprise allows Privilege Escalation allows users to gain access to resources from other organizations within the same Grafana instance via the Grafana Cloud Migration Assistant.This vulnerability will only affect users who utilize the Organizations feature to isolate resources on their Grafana instance. • https://grafana.com/blog/2024/11/12/grafana-security-release-medium-severity-security-fix-for-cve-2024-9476 • CWE-266: Incorrect Privilege Assignment •
CVSS: 2.2EPSS: 0%CPEs: 1EXPL: 0CVE-2024-10452
https://notcve.org/view.php?id=CVE-2024-10452
29 Oct 2024 — Organization admins can delete pending invites created in an organization they are not part of. • https://grafana.com/security/security-advisories/cve-2024-10452 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 9.9EPSS: 89%CPEs: 6EXPL: 8CVE-2024-9264 – Grafana SQL Expressions allow for remote code execution
https://notcve.org/view.php?id=CVE-2024-9264
18 Oct 2024 — The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are insufficiently sanitized before being passed to `duckdb`, leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or higher permission is capable of executing this attack. The `duckdb` binary must be present in Grafana's $PATH for this attack to function; by default, this binary is not installed in Grafana distributions. • https://packetstorm.news/files/id/182335 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.8EPSS: 0%CPEs: 5EXPL: 0CVE-2024-8118 – Grafana alerting wrong permission on datasource rule write endpoint
https://notcve.org/view.php?id=CVE-2024-8118
26 Sep 2024 — In Grafana, the wrong permission is applied to the alert rule write API endpoint, allowing users with permission to write external alert instances to also write alert rules. • https://grafana.com/security/security-advisories/cve-2024-8118 • CWE-653: Improper Isolation or Compartmentalization •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-8996 – Grafana Agent Flow on Windows Unquoted service path
https://notcve.org/view.php?id=CVE-2024-8996
25 Sep 2024 — Unquoted Search Path or Element vulnerability in Grafana Agent (Flow mode) on Windows allows Privilege Escalation from Local User to SYSTEM This issue affects Agent Flow: before 0.43.2 Unquoted Search Path or Element vulnerability in Grafana Agent (Flow mode) on Windows allows Privilege Escalation from Local User to SYSTEM This issue affects Agent Flow: before 0.43.2 • https://github.com/grafana/agent/releases/tag/v0.43.2 • CWE-428: Unquoted Search Path or Element •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-8975 – Grafana Alloy on Windows Unquoted service path
https://notcve.org/view.php?id=CVE-2024-8975
25 Sep 2024 — Unquoted Search Path or Element vulnerability in Grafana Alloy on Windows allows Privilege Escalation from Local User to SYSTEM This issue affects Alloy: before 1.3.3, from 1.4.0-rc.0 through 1.4.0-rc.1. Unquoted Search Path or Element vulnerability in Grafana Alloy on Windows allows Privilege Escalation from Local User to SYSTEM This issue affects Alloy: before 1.3.3, from 1.4.0-rc.0 through 1.4.0-rc.1. • https://github.com/grafana/alloy/releases/tag/v1.4.0 • CWE-428: Unquoted Search Path or Element •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-8986 – Information Leakage in grafana-plugin-sdk-go
https://notcve.org/view.php?id=CVE-2024-8986
19 Sep 2024 — The grafana plugin SDK bundles build metadata into the binaries it compiles; this metadata includes the repository URI for the plugin being built, as retrieved by running `git remote get-url origin`. If credentials are included in the repository URI (for instance, to allow for fetching of private dependencies), the final binary will contain the full URI, including said credentials. El SDK del complemento Grafana incluye metadatos de compilación en los binarios que compila; estos metadatos incluyen el URI de... • https://grafana.com/security/security-advisories/cve-2024-8986 • CWE-522: Insufficiently Protected Credentials •
CVSS: 4.4EPSS: 0%CPEs: 4EXPL: 0CVE-2024-6322
https://notcve.org/view.php?id=CVE-2024-6322
20 Aug 2024 — Access control for plugin data sources protected by the ReqActions json field of the plugin.json is bypassed if the user or service account is granted associated access to any other data source, as the ReqActions check was not scoped to each specific datasource. The account must have prior query access to the impacted datasource. • https://grafana.com/security/security-advisories/cve-2024-6322 • CWE-266: Incorrect Privilege Assignment •
CVSS: 9.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-5526
https://notcve.org/view.php?id=CVE-2024-5526
05 Jun 2024 — Grafana OnCall is an easy-to-use on-call management tool that will help reduce toil in on-call management through simpler workflows and interfaces that are tailored specifically for engineers. Grafana OnCall, from version 1.1.37 before 1.5.2 are vulnerable to a Server Side Request Forgery (SSRF) vulnerability in the webhook functionallity. This issue was fixed in version 1.5.2 Grafana OnCall es una herramienta de gestión de guardias fácil de usar que ayudará a reducir el trabajo duro en la gestión de guardi... • https://grafana.com/security/security-advisories/cve-2024-5526 • CWE-918: Server-Side Request Forgery (SSRF) •