CVSS: 4.3EPSS: 0%CPEs: 5EXPL: 0CVE-2024-11741
https://notcve.org/view.php?id=CVE-2024-11741
31 Jan 2025 — Grafana is an open-source platform for monitoring and observability. The Grafana Alerting VictorOps integration was not properly protected and could be exposed to users with Viewer permission. Fixed in versions 11.5.0, 11.4.1, 11.3.3, 11.2.6, 11.1.11, 11.0.11 and 10.4.15 • https://grafana.com/security/security-advisories/cve-2024-11741 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-9476 – Privilege escalation vulnerability for Organizations in Grafana
https://notcve.org/view.php?id=CVE-2024-9476
13 Nov 2024 — A vulnerability in Grafana Labs Grafana OSS and Enterprise allows Privilege Escalation allows users to gain access to resources from other organizations within the same Grafana instance via the Grafana Cloud Migration Assistant.This vulnerability will only affect users who utilize the Organizations feature to isolate resources on their Grafana instance. • https://grafana.com/blog/2024/11/12/grafana-security-release-medium-severity-security-fix-for-cve-2024-9476 • CWE-266: Incorrect Privilege Assignment •
CVSS: 2.2EPSS: 0%CPEs: 1EXPL: 0CVE-2024-10452
https://notcve.org/view.php?id=CVE-2024-10452
29 Oct 2024 — Organization admins can delete pending invites created in an organization they are not part of. • https://grafana.com/security/security-advisories/cve-2024-10452 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 9.9EPSS: 89%CPEs: 6EXPL: 8CVE-2024-9264 – Grafana SQL Expressions allow for remote code execution
https://notcve.org/view.php?id=CVE-2024-9264
18 Oct 2024 — The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are insufficiently sanitized before being passed to `duckdb`, leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or higher permission is capable of executing this attack. The `duckdb` binary must be present in Grafana's $PATH for this attack to function; by default, this binary is not installed in Grafana distributions. • https://packetstorm.news/files/id/182335 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.8EPSS: 0%CPEs: 5EXPL: 0CVE-2024-8118 – Grafana alerting wrong permission on datasource rule write endpoint
https://notcve.org/view.php?id=CVE-2024-8118
26 Sep 2024 — In Grafana, the wrong permission is applied to the alert rule write API endpoint, allowing users with permission to write external alert instances to also write alert rules. • https://grafana.com/security/security-advisories/cve-2024-8118 • CWE-653: Improper Isolation or Compartmentalization •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-8986 – Information Leakage in grafana-plugin-sdk-go
https://notcve.org/view.php?id=CVE-2024-8986
19 Sep 2024 — The grafana plugin SDK bundles build metadata into the binaries it compiles; this metadata includes the repository URI for the plugin being built, as retrieved by running `git remote get-url origin`. If credentials are included in the repository URI (for instance, to allow for fetching of private dependencies), the final binary will contain the full URI, including said credentials. El SDK del complemento Grafana incluye metadatos de compilación en los binarios que compila; estos metadatos incluyen el URI de... • https://grafana.com/security/security-advisories/cve-2024-8986 • CWE-522: Insufficiently Protected Credentials •
CVSS: 4.4EPSS: 0%CPEs: 4EXPL: 0CVE-2024-6322
https://notcve.org/view.php?id=CVE-2024-6322
20 Aug 2024 — Access control for plugin data sources protected by the ReqActions json field of the plugin.json is bypassed if the user or service account is granted associated access to any other data source, as the ReqActions check was not scoped to each specific datasource. The account must have prior query access to the impacted datasource. • https://grafana.com/security/security-advisories/cve-2024-6322 • CWE-266: Incorrect Privilege Assignment •
CVSS: 6.8EPSS: 0%CPEs: 5EXPL: 0CVE-2024-1313 – Users outside an organization can delete a snapshot with its key
https://notcve.org/view.php?id=CVE-2024-1313
26 Mar 2024 — It is possible for a user in a different organization from the owner of a snapshot to bypass authorization and delete a snapshot by issuing a DELETE request to /api/snapshots/
CVSS: 7.3EPSS: 0%CPEs: 5EXPL: 0CVE-2024-1442 – User with permissions to create a data source can CRUD all data sources
https://notcve.org/view.php?id=CVE-2024-1442
07 Mar 2024 — A user with the permissions to create a data source can use Grafana API to create a data source with UID set to *. Doing this will grant the user access to read, query, edit and delete all data sources within the organization. Un usuario con permisos para crear una fuente de datos puede usar Grafana API para crear una fuente de datos con UID configurado en *. Hacer esto le otorgará al usuario acceso para leer, consultar, editar y eliminar todas las fuentes de datos dentro de la organización. A flaw was foun... • https://grafana.com/security/security-advisories/cve-2024-1442 • CWE-269: Improper Privilege Management •
CVSS: 5.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-5122 – SSRF in CSV Datasource Plugin
https://notcve.org/view.php?id=CVE-2023-5122
14 Feb 2024 — Grafana is an open-source platform for monitoring and observability. The CSV datasource plugin is a Grafana Labs maintained plugin for Grafana that allows for retrieving and processing CSV data from a remote endpoint configured by an administrator. If this plugin was configured to send requests to a bare host with no path (e.g. https://www.example.com/ https://www.example.com/` ), requests to an endpoint other than the one configured by the administrator could be triggered by a specially crafted request fro... • https://grafana.com/security/security-advisories/cve-2023-5122 • CWE-918: Server-Side Request Forgery (SSRF) •