Vulnerabilites related to Grafana - Grafana
CVE-2024-8118 (GCVE-0-2024-8118)
Vulnerability from cvelistv5
Published
2024-09-26 18:46
Modified
2024-09-26 19:06
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-653 - Improper Isolation or Compartmentalization
Summary
In Grafana, the wrong permission is applied to the alert rule write API endpoint, allowing users with permission to write external alert instances to also write alert rules.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8118",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-26T19:06:31.902922Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-26T19:06:40.196Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/grafana/grafana/",
"defaultStatus": "unaffected",
"product": "Grafana",
"programFiles": [
"/pkg/services/ngalert/api/authorization.go"
],
"vendor": "Grafana",
"versions": [
{
"lessThan": "10.3.10",
"status": "affected",
"version": "8.5.0",
"versionType": "semver"
},
{
"lessThan": "10.4.9",
"status": "affected",
"version": "10.4.0",
"versionType": "semver"
},
{
"lessThan": "11.0.5",
"status": "affected",
"version": "11.0.0",
"versionType": "semver"
},
{
"lessThan": "11.1.6",
"status": "affected",
"version": "11.1.0",
"versionType": "semver"
},
{
"lessThan": "11.2.1",
"status": "affected",
"version": "11.2.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u0026nbsp;In Grafana, the wrong permission is applied to the alert rule write API endpoint, allowing users with permission to write external alert instances to also write alert rules.\u003cbr\u003e"
}
],
"value": "In Grafana, the wrong permission is applied to the alert rule write API endpoint, allowing users with permission to write external alert instances to also write alert rules."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-653",
"description": "CWE-653: Improper Isolation or Compartmentalization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-26T18:46:07.048Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"url": "https://grafana.com/security/security-advisories/cve-2024-8118/"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Grafana alerting wrong permission on datasource rule write endpoint",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2024-8118",
"datePublished": "2024-09-26T18:46:07.048Z",
"dateReserved": "2024-08-23T13:45:00.173Z",
"dateUpdated": "2024-09-26T19:06:40.196Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-1442 (GCVE-0-2024-1442)
Vulnerability from cvelistv5
Published
2024-03-07 17:45
Modified
2024-11-22 12:04
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
A user with the permissions to create a data source can use Grafana API to create a data source with UID set to *.
Doing this will grant the user access to read, query, edit and delete all data sources within the organization.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-1442",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-26T14:35:40.672183Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-26T14:35:58.049Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-11-22T12:04:45.739Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://grafana.com/security/security-advisories/cve-2024-1442/"
},
{
"url": "https://security.netapp.com/advisory/ntap-20241122-0007/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Grafana",
"vendor": "Grafana",
"versions": [
{
"lessThan": "9.5.7",
"status": "affected",
"version": "8.5.0",
"versionType": "semver"
},
{
"lessThan": "10.0.12",
"status": "affected",
"version": "10.0.0",
"versionType": "semver"
},
{
"lessThan": "10.1.8",
"status": "affected",
"version": "10.1.0",
"versionType": "semver"
},
{
"lessThan": "10.2.5",
"status": "affected",
"version": "10.2.0",
"versionType": "semver"
},
{
"lessThan": "10.3.4",
"status": "affected",
"version": "10.3.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": " A user with the permissions to create a data source can use Grafana API to create a data source with UID set to *.\u003cbr\u003eDoing this will grant the user access to read, query, edit and delete all data sources within the organization.\u003cbr\u003e"
}
],
"value": " A user with the permissions to create a data source can use Grafana API to create a data source with UID set to *.\nDoing this will grant the user access to read, query, edit and delete all data sources within the organization.\n"
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-07T17:45:43.993Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"url": "https://grafana.com/security/security-advisories/cve-2024-1442/"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "User with permissions to create a data source can CRUD all data sources",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2024-1442",
"datePublished": "2024-03-07T17:45:43.993Z",
"dateReserved": "2024-02-12T12:21:26.806Z",
"dateUpdated": "2024-11-22T12:04:45.739Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-29170 (GCVE-0-2022-29170)
Vulnerability from cvelistv5
Published
2022-05-20 16:10
Modified
2025-04-23 18:24
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Summary
Grafana is an open-source platform for monitoring and observability. In Grafana Enterprise, the Request security feature allows list allows to configure Grafana in a way so that the instance doesn’t call or only calls specific hosts. The vulnerability present starting with version 7.4.0-beta1 and prior to versions 7.5.16 and 8.5.3 allows someone to bypass these security configurations if a malicious datasource (running on an allowed host) returns an HTTP redirect to a forbidden host. The vulnerability only impacts Grafana Enterprise when the Request security allow list is used and there is a possibility to add a custom datasource to Grafana which returns HTTP redirects. In this scenario, Grafana would blindly follow the redirects and potentially give secure information to the clients. Grafana Cloud is not impacted by this vulnerability. Versions 7.5.16 and 8.5.3 contain a patch for this issue. There are currently no known workarounds.
References
| ► | URL | Tags | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:17:54.001Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-9rrr-6fq2-4f99"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/grafana/grafana/pull/49240"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/grafana/grafana/releases/tag/v7.5.16"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/grafana/grafana/releases/tag/v8.5.3"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20220707-0005/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-29170",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T14:07:14.258108Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T18:24:44.628Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "grafana",
"vendor": "grafana",
"versions": [
{
"status": "affected",
"version": "\u003e= 7.4.0-beta1, \u003c 7.5.16"
},
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 8.5.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Grafana is an open-source platform for monitoring and observability. In Grafana Enterprise, the Request security feature allows list allows to configure Grafana in a way so that the instance doesn\u2019t call or only calls specific hosts. The vulnerability present starting with version 7.4.0-beta1 and prior to versions 7.5.16 and 8.5.3 allows someone to bypass these security configurations if a malicious datasource (running on an allowed host) returns an HTTP redirect to a forbidden host. The vulnerability only impacts Grafana Enterprise when the Request security allow list is used and there is a possibility to add a custom datasource to Grafana which returns HTTP redirects. In this scenario, Grafana would blindly follow the redirects and potentially give secure information to the clients. Grafana Cloud is not impacted by this vulnerability. Versions 7.5.16 and 8.5.3 contain a patch for this issue. There are currently no known workarounds."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-07T14:06:21.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-9rrr-6fq2-4f99"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/grafana/grafana/pull/49240"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/grafana/grafana/releases/tag/v7.5.16"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/grafana/grafana/releases/tag/v8.5.3"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20220707-0005/"
}
],
"source": {
"advisory": "GHSA-9rrr-6fq2-4f99",
"discovery": "UNKNOWN"
},
"title": "Grafana Enterprise datasource network restrictions bypass via HTTP redirects",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-29170",
"STATE": "PUBLIC",
"TITLE": "Grafana Enterprise datasource network restrictions bypass via HTTP redirects"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "grafana",
"version": {
"version_data": [
{
"version_value": "\u003e= 7.4.0-beta1, \u003c 7.5.16"
},
{
"version_value": "\u003e= 8.0.0, \u003c 8.5.3"
}
]
}
}
]
},
"vendor_name": "grafana"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Grafana is an open-source platform for monitoring and observability. In Grafana Enterprise, the Request security feature allows list allows to configure Grafana in a way so that the instance doesn\u2019t call or only calls specific hosts. The vulnerability present starting with version 7.4.0-beta1 and prior to versions 7.5.16 and 8.5.3 allows someone to bypass these security configurations if a malicious datasource (running on an allowed host) returns an HTTP redirect to a forbidden host. The vulnerability only impacts Grafana Enterprise when the Request security allow list is used and there is a possibility to add a custom datasource to Grafana which returns HTTP redirects. In this scenario, Grafana would blindly follow the redirects and potentially give secure information to the clients. Grafana Cloud is not impacted by this vulnerability. Versions 7.5.16 and 8.5.3 contain a patch for this issue. There are currently no known workarounds."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/grafana/grafana/security/advisories/GHSA-9rrr-6fq2-4f99",
"refsource": "CONFIRM",
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-9rrr-6fq2-4f99"
},
{
"name": "https://github.com/grafana/grafana/pull/49240",
"refsource": "MISC",
"url": "https://github.com/grafana/grafana/pull/49240"
},
{
"name": "https://github.com/grafana/grafana/releases/tag/v7.5.16",
"refsource": "MISC",
"url": "https://github.com/grafana/grafana/releases/tag/v7.5.16"
},
{
"name": "https://github.com/grafana/grafana/releases/tag/v8.5.3",
"refsource": "MISC",
"url": "https://github.com/grafana/grafana/releases/tag/v8.5.3"
},
{
"name": "https://security.netapp.com/advisory/ntap-20220707-0005/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20220707-0005/"
}
]
},
"source": {
"advisory": "GHSA-9rrr-6fq2-4f99",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-29170",
"datePublished": "2022-05-20T16:10:12.000Z",
"dateReserved": "2022-04-13T00:00:00.000Z",
"dateUpdated": "2025-04-23T18:24:44.628Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-1313 (GCVE-0-2024-1313)
Vulnerability from cvelistv5
Published
2024-03-26 17:24
Modified
2025-02-13 17:27
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Summary
It is possible for a user in a different organization from the owner of a snapshot to bypass authorization and delete a snapshot by issuing a DELETE request to /api/snapshots/<key> using its view key. This functionality is intended to only be available to individuals with the permission to write/edit to the snapshot in question, but due to a bug in the authorization logic, deletion requests issued by an unprivileged user in a different organization than the snapshot owner are treated as authorized.
Grafana Labs would like to thank Ravid Mazon and Jay Chen of Palo
Alto Research for discovering and disclosing this vulnerability.
This issue affects Grafana: from 9.5.0 before 9.5.18, from 10.0.0 before 10.0.13, from 10.1.0 before 10.1.9, from 10.2.0 before 10.2.6, from 10.3.0 before 10.3.5.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-1313",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-10T20:46:01.440788Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-10T20:46:07.773Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:33:25.596Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://grafana.com/security/security-advisories/cve-2024-1313/"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20240524-0008/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Linux"
],
"product": "Grafana",
"repo": "https://github.com/grafana/grafana",
"vendor": "Grafana",
"versions": [
{
"lessThan": "9.5.18",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"lessThan": "10.0.13",
"status": "affected",
"version": "10.0.0",
"versionType": "semver"
},
{
"lessThan": "10.1.9",
"status": "affected",
"version": "10.1.0",
"versionType": "semver"
},
{
"lessThan": "10.2.6",
"status": "affected",
"version": "10.2.0",
"versionType": "semver"
},
{
"lessThan": "10.3.5",
"status": "affected",
"version": "10.3.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "10.4.0"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "To be exposed to this issue, a grafana instance must be configured with multiple organizations and have the snapshots feature turned on.\u003cbr\u003e"
}
],
"value": "To be exposed to this issue, a grafana instance must be configured with multiple organizations and have the snapshots feature turned on."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ravid Mazon"
},
{
"lang": "en",
"type": "finder",
"value": "Jay Chen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "It is possible for a user in a different organization from the owner of a snapshot to bypass authorization and delete a snapshot by issuing a DELETE request to /api/snapshots/\u0026lt;key\u0026gt; using its view key. This functionality is intended to only be available to individuals with the permission to write/edit to the snapshot in question, but due to a bug in the authorization logic, deletion requests issued by an unprivileged user in a different organization than the snapshot owner are treated as authorized.\u003cbr\u003e\u003cp\u003e\u003cbr\u003eGrafana Labs would like to thank Ravid Mazon and Jay Chen of Palo \nAlto Research for discovering and disclosing this vulnerability.\u003cbr\u003e\u003cbr\u003eThis issue affects Grafana: from 9.5.0 before 9.5.18, from 10.0.0 before 10.0.13, from 10.1.0 before 10.1.9, from 10.2.0 before 10.2.6, from 10.3.0 before 10.3.5.\u003cbr\u003e\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "It is possible for a user in a different organization from the owner of a snapshot to bypass authorization and delete a snapshot by issuing a DELETE request to /api/snapshots/\u003ckey\u003e using its view key. This functionality is intended to only be available to individuals with the permission to write/edit to the snapshot in question, but due to a bug in the authorization logic, deletion requests issued by an unprivileged user in a different organization than the snapshot owner are treated as authorized.\n\nGrafana Labs would like to thank Ravid Mazon and Jay Chen of Palo \nAlto Research for discovering and disclosing this vulnerability.\n\nThis issue affects Grafana: from 9.5.0 before 9.5.18, from 10.0.0 before 10.0.13, from 10.1.0 before 10.1.9, from 10.2.0 before 10.2.6, from 10.3.0 before 10.3.5."
}
],
"impacts": [
{
"capecId": "CAPEC-137",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-137 Parameter Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-10T18:08:06.260Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"url": "https://grafana.com/security/security-advisories/cve-2024-1313/"
},
{
"url": "https://security.netapp.com/advisory/ntap-20240524-0008/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Users outside an organization can delete a snapshot with its key",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2024-1313",
"datePublished": "2024-03-26T17:24:25.956Z",
"dateReserved": "2024-02-07T15:15:07.330Z",
"dateUpdated": "2025-02-13T17:27:36.664Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-43815 (GCVE-0-2021-43815)
Vulnerability from cvelistv5
Published
2021-12-10 20:40
Modified
2024-08-04 04:03
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Summary
Grafana is an open-source platform for monitoring and observability. Grafana prior to versions 8.3.2 and 7.5.12 has a directory traversal for arbitrary .csv files. It only affects instances that have the developer testing tool called TestData DB data source enabled and configured. The vulnerability is limited in scope, and only allows access to files with the extension .csv to authenticated users only. Grafana Cloud instances have not been affected by the vulnerability. Versions 8.3.2 and 7.5.12 contain a patch for this issue. There is a workaround available for users who cannot upgrade. Running a reverse proxy in front of Grafana that normalizes the PATH of the request will mitigate the vulnerability. The proxy will have to also be able to handle url encoded paths.
References
| ► | URL | Tags | |||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:03:08.839Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/grafana/grafana/commit/fd48aee61e4328aae8d5303a9efd045fa0ca308d"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://grafana.com/blog/2021/12/10/grafana-8.3.2-and-7.5.12-released-with-moderate-severity-security-fix/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-7533-c8qv-jm9m"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/grafana/grafana/commit/d6ec6f8ad28f0212e584406730f939105ff6c6d3"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/grafana/grafana/releases/tag/v8.3.2"
},
{
"name": "[oss-security] 20211210 CVE-2021-43813 and CVE-2021-43815 - Grafana directory traversal for some .md and .csv files",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/12/10/4"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20220107-0006/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "grafana",
"vendor": "grafana",
"versions": [
{
"status": "affected",
"version": "\u003e= 8.0.0-beta3, \u003c 8.3.2"
},
{
"status": "affected",
"version": "\u003e= 5.0.0, \u003c 7.5.12"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Grafana is an open-source platform for monitoring and observability. Grafana prior to versions 8.3.2 and 7.5.12 has a directory traversal for arbitrary .csv files. It only affects instances that have the developer testing tool called TestData DB data source enabled and configured. The vulnerability is limited in scope, and only allows access to files with the extension .csv to authenticated users only. Grafana Cloud instances have not been affected by the vulnerability. Versions 8.3.2 and 7.5.12 contain a patch for this issue. There is a workaround available for users who cannot upgrade. Running a reverse proxy in front of Grafana that normalizes the PATH of the request will mitigate the vulnerability. The proxy will have to also be able to handle url encoded paths."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-07T12:06:29",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/grafana/grafana/commit/fd48aee61e4328aae8d5303a9efd045fa0ca308d"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://grafana.com/blog/2021/12/10/grafana-8.3.2-and-7.5.12-released-with-moderate-severity-security-fix/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-7533-c8qv-jm9m"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/grafana/grafana/commit/d6ec6f8ad28f0212e584406730f939105ff6c6d3"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/grafana/grafana/releases/tag/v8.3.2"
},
{
"name": "[oss-security] 20211210 CVE-2021-43813 and CVE-2021-43815 - Grafana directory traversal for some .md and .csv files",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/12/10/4"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20220107-0006/"
}
],
"source": {
"advisory": "GHSA-7533-c8qv-jm9m",
"discovery": "UNKNOWN"
},
"title": "Grafana directory traversal for `.cvs` files",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-43815",
"STATE": "PUBLIC",
"TITLE": "Grafana directory traversal for `.cvs` files"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "grafana",
"version": {
"version_data": [
{
"version_value": "\u003e= 8.0.0-beta3, \u003c 8.3.2"
},
{
"version_value": "\u003e= 5.0.0, \u003c 7.5.12"
}
]
}
}
]
},
"vendor_name": "grafana"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Grafana is an open-source platform for monitoring and observability. Grafana prior to versions 8.3.2 and 7.5.12 has a directory traversal for arbitrary .csv files. It only affects instances that have the developer testing tool called TestData DB data source enabled and configured. The vulnerability is limited in scope, and only allows access to files with the extension .csv to authenticated users only. Grafana Cloud instances have not been affected by the vulnerability. Versions 8.3.2 and 7.5.12 contain a patch for this issue. There is a workaround available for users who cannot upgrade. Running a reverse proxy in front of Grafana that normalizes the PATH of the request will mitigate the vulnerability. The proxy will have to also be able to handle url encoded paths."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/grafana/grafana/commit/fd48aee61e4328aae8d5303a9efd045fa0ca308d",
"refsource": "MISC",
"url": "https://github.com/grafana/grafana/commit/fd48aee61e4328aae8d5303a9efd045fa0ca308d"
},
{
"name": "https://grafana.com/blog/2021/12/10/grafana-8.3.2-and-7.5.12-released-with-moderate-severity-security-fix/",
"refsource": "MISC",
"url": "https://grafana.com/blog/2021/12/10/grafana-8.3.2-and-7.5.12-released-with-moderate-severity-security-fix/"
},
{
"name": "https://github.com/grafana/grafana/security/advisories/GHSA-7533-c8qv-jm9m",
"refsource": "CONFIRM",
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-7533-c8qv-jm9m"
},
{
"name": "https://github.com/grafana/grafana/commit/d6ec6f8ad28f0212e584406730f939105ff6c6d3",
"refsource": "MISC",
"url": "https://github.com/grafana/grafana/commit/d6ec6f8ad28f0212e584406730f939105ff6c6d3"
},
{
"name": "https://github.com/grafana/grafana/releases/tag/v8.3.2",
"refsource": "MISC",
"url": "https://github.com/grafana/grafana/releases/tag/v8.3.2"
},
{
"name": "[oss-security] 20211210 CVE-2021-43813 and CVE-2021-43815 - Grafana directory traversal for some .md and .csv files",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/12/10/4"
},
{
"name": "https://security.netapp.com/advisory/ntap-20220107-0006/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20220107-0006/"
}
]
},
"source": {
"advisory": "GHSA-7533-c8qv-jm9m",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-43815",
"datePublished": "2021-12-10T20:40:11",
"dateReserved": "2021-11-16T00:00:00",
"dateUpdated": "2024-08-04T04:03:08.839Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-1410 (GCVE-0-2023-1410)
Vulnerability from cvelistv5
Published
2023-03-23 07:48
Modified
2025-03-04 21:22
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Grafana is an open-source platform for monitoring and observability.
Grafana had a stored XSS vulnerability in the Graphite FunctionDescription tooltip.
The stored XSS vulnerability was possible due the value of the Function Description was not properly sanitized.
An attacker needs to have control over the Graphite data source in order to manipulate a function description and a Grafana admin needs to configure the data source, later a Grafana user needs to select a tampered function and hover over the description.
Users may upgrade to version 8.5.22, 9.2.15 and 9.3.11 to receive a fix.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ► | Grafana | Grafana |
Version: 8.0.0 ≤ Version: 9.0.0 ≤ Version: 9.3.0 ≤ |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T05:49:11.621Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://grafana.com/security/security-advisories/cve-2023-1410/"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/grafana/bugbounty/security/advisories/GHSA-qrrg-gw7w-vp76"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20230420-0003/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-1410",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-04T21:21:42.873495Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-04T21:22:03.229Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Grafana",
"vendor": "Grafana",
"versions": [
{
"lessThan": "8.5.22",
"status": "affected",
"version": "8.0.0",
"versionType": "semver"
},
{
"lessThan": "9.2.15",
"status": "affected",
"version": "9.0.0",
"versionType": "semver"
},
{
"lessThan": "9.3.11",
"status": "affected",
"version": "9.3.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Grafana Enterprise",
"vendor": "Grafana",
"versions": [
{
"lessThan": "8.5.22",
"status": "affected",
"version": "8.0.0",
"versionType": "semver"
},
{
"lessThan": "9.2.15",
"status": "affected",
"version": "9.0.0",
"versionType": "semver"
},
{
"lessThan": "9.3.11",
"status": "affected",
"version": "9.3.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eGrafana is an open-source platform for monitoring and observability.\u0026nbsp;\u003c/p\u003e\u003cp\u003eGrafana had a stored XSS vulnerability in the Graphite FunctionDescription tooltip. \u003c/p\u003e\u003cp\u003eThe stored XSS vulnerability was possible due the value of the Function Description was not properly sanitized.\u003c/p\u003e\u003cp\u003eAn attacker needs to have control over the Graphite data source in order to manipulate a function description and a Grafana admin needs to configure the data source, later a Grafana user needs to select a tampered function and hover over the description.\u0026nbsp;\u003c/p\u003e\u003cp\u003e Users may upgrade to version 8.5.22, 9.2.15 and 9.3.11 to receive a fix. \u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cdiv\u003e\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cp\u003e\u003c/p\u003e"
}
],
"value": "Grafana is an open-source platform for monitoring and observability.\u00a0\n\nGrafana had a stored XSS vulnerability in the Graphite FunctionDescription tooltip. \n\nThe stored XSS vulnerability was possible due the value of the Function Description was not properly sanitized.\n\nAn attacker needs to have control over the Graphite data source in order to manipulate a function description and a Grafana admin needs to configure the data source, later a Grafana user needs to select a tampered function and hover over the description.\u00a0\n\n Users may upgrade to version 8.5.22, 9.2.15 and 9.3.11 to receive a fix."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-20T08:06:33.364Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"url": "https://grafana.com/security/security-advisories/cve-2023-1410/"
},
{
"url": "https://github.com/grafana/bugbounty/security/advisories/GHSA-qrrg-gw7w-vp76"
},
{
"url": "https://security.netapp.com/advisory/ntap-20230420-0003/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Stored XSS in Graphite FunctionDescription tooltip",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2023-1410",
"datePublished": "2023-03-23T07:48:56.246Z",
"dateReserved": "2023-03-15T11:11:52.860Z",
"dateUpdated": "2025-03-04T21:22:03.229Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-4123 (GCVE-0-2025-4123)
Vulnerability from cvelistv5
Published
2025-05-22 07:44
Modified
2025-07-22 14:11
Severity ?
VLAI Severity ?
EPSS score ?
Summary
A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend plugin that will execute arbitrary JavaScript. This vulnerability does not require editor permissions and if anonymous access is enabled, the XSS will work. If the Grafana Image Renderer plugin is installed, it is possible to exploit the open redirect to achieve a full read SSRF.
The default Content-Security-Policy (CSP) in Grafana will block the XSS though the `connect-src` directive.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-4123",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-22T13:21:28.047643Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-22T14:11:46.732Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Grafana",
"vendor": "Grafana",
"versions": [
{
"lessThan": "10.4.19",
"status": "affected",
"version": "10.4.18+security-01",
"versionType": "semver"
},
{
"lessThan": "11.2.10",
"status": "affected",
"version": "11.2.9+security-01",
"versionType": "semver"
},
{
"lessThan": "11.3.7",
"status": "affected",
"version": "11.3.6+security-01",
"versionType": "semver"
},
{
"lessThan": "11.4.5",
"status": "affected",
"version": "11.4.4+security-01",
"versionType": "semver"
},
{
"lessThan": "11.5.5",
"status": "affected",
"version": "11.5.4+security-01",
"versionType": "semver"
},
{
"lessThan": "11.6.2",
"status": "affected",
"version": "11.6.1+security-01",
"versionType": "semver"
},
{
"lessThan": "12.0.1",
"status": "affected",
"version": "12.0.0+security-01",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Alvaro Balada"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend plugin that will execute arbitrary JavaScript. This vulnerability does not require editor permissions and if anonymous access is enabled, the XSS will work. If the Grafana Image Renderer plugin is installed, it is possible to exploit the open redirect to achieve a full read SSRF.\u003cbr\u003e\u003cbr\u003eThe default Content-Security-Policy (CSP) in Grafana will block the XSS though the `connect-src` directive.\u0026nbsp;\u003c/p\u003e"
}
],
"value": "A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend plugin that will execute arbitrary JavaScript. This vulnerability does not require editor permissions and if anonymous access is enabled, the XSS will work. If the Grafana Image Renderer plugin is installed, it is possible to exploit the open redirect to achieve a full read SSRF.\n\nThe default Content-Security-Policy (CSP) in Grafana will block the XSS though the `connect-src` directive."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63"
}
]
},
{
"capecId": "CAPEC-204",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-204"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-18T07:16:32.159Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://grafana.com/security/security-advisories/cve-2025-4123/"
},
{
"tags": [
"mitigation",
"release-notes"
],
"url": "https://grafana.com/blog/2025/05/23/grafana-security-release-medium-and-high-severity-security-fixes-for-cve-2025-4123-and-cve-2025-3580/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2025-4123",
"datePublished": "2025-05-22T07:44:09.491Z",
"dateReserved": "2025-04-30T06:59:15.172Z",
"dateUpdated": "2025-07-22T14:11:46.732Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-21673 (GCVE-0-2022-21673)
Vulnerability from cvelistv5
Published
2022-01-18 21:35
Modified
2025-04-23 19:11
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Summary
Grafana is an open-source platform for monitoring and observability. In affected versions when a data source has the Forward OAuth Identity feature enabled, sending a query to that datasource with an API token (and no other user credentials) will forward the OAuth Identity of the most recently logged-in user. This can allow API token holders to retrieve data for which they may not have intended access. This attack relies on the Grafana instance having data sources that support the Forward OAuth Identity feature, the Grafana instance having a data source with the Forward OAuth Identity feature toggled on, the Grafana instance having OAuth enabled, and the Grafana instance having usable API keys. This issue has been patched in versions 7.5.13 and 8.3.4.
References
| ► | URL | Tags | |||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T02:46:39.413Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-8wjh-59cw-9xh4"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/grafana/grafana/releases/tag/v7.5.13"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/grafana/grafana/releases/tag/v8.3.4"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20220303-0004/"
},
{
"name": "FEDORA-2022-83405f9d5b",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HLAQRRGNSO5MYCPAXGPH2OCSHOGHSQMQ/"
},
{
"name": "FEDORA-2022-9dd03cab55",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2PFW6Q2LXXWTFRTMTRN4ZGADFRQPKJ3D/"
},
{
"name": "FEDORA-2022-c5383675d9",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36GUEPA5TPSC57DZTPYPBL6T7UPQ2FRH/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-21673",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T14:12:04.035353Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T19:11:00.141Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "grafana",
"vendor": "grafana",
"versions": [
{
"status": "affected",
"version": "\u003e= 7.2.0, \u003c 7.5.13"
},
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 8.3.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Grafana is an open-source platform for monitoring and observability. In affected versions when a data source has the Forward OAuth Identity feature enabled, sending a query to that datasource with an API token (and no other user credentials) will forward the OAuth Identity of the most recently logged-in user. This can allow API token holders to retrieve data for which they may not have intended access. This attack relies on the Grafana instance having data sources that support the Forward OAuth Identity feature, the Grafana instance having a data source with the Forward OAuth Identity feature toggled on, the Grafana instance having OAuth enabled, and the Grafana instance having usable API keys. This issue has been patched in versions 7.5.13 and 8.3.4."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-07T07:06:34.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-8wjh-59cw-9xh4"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/grafana/grafana/releases/tag/v7.5.13"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/grafana/grafana/releases/tag/v8.3.4"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20220303-0004/"
},
{
"name": "FEDORA-2022-83405f9d5b",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HLAQRRGNSO5MYCPAXGPH2OCSHOGHSQMQ/"
},
{
"name": "FEDORA-2022-9dd03cab55",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2PFW6Q2LXXWTFRTMTRN4ZGADFRQPKJ3D/"
},
{
"name": "FEDORA-2022-c5383675d9",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36GUEPA5TPSC57DZTPYPBL6T7UPQ2FRH/"
}
],
"source": {
"advisory": "GHSA-8wjh-59cw-9xh4",
"discovery": "UNKNOWN"
},
"title": "OAuth Identity Token exposure in Grafana",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-21673",
"STATE": "PUBLIC",
"TITLE": "OAuth Identity Token exposure in Grafana"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "grafana",
"version": {
"version_data": [
{
"version_value": "\u003e= 7.2.0, \u003c 7.5.13"
},
{
"version_value": "\u003e= 8.0.0, \u003c 8.3.4"
}
]
}
}
]
},
"vendor_name": "grafana"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Grafana is an open-source platform for monitoring and observability. In affected versions when a data source has the Forward OAuth Identity feature enabled, sending a query to that datasource with an API token (and no other user credentials) will forward the OAuth Identity of the most recently logged-in user. This can allow API token holders to retrieve data for which they may not have intended access. This attack relies on the Grafana instance having data sources that support the Forward OAuth Identity feature, the Grafana instance having a data source with the Forward OAuth Identity feature toggled on, the Grafana instance having OAuth enabled, and the Grafana instance having usable API keys. This issue has been patched in versions 7.5.13 and 8.3.4."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/grafana/grafana/security/advisories/GHSA-8wjh-59cw-9xh4",
"refsource": "CONFIRM",
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-8wjh-59cw-9xh4"
},
{
"name": "https://github.com/grafana/grafana/releases/tag/v7.5.13",
"refsource": "MISC",
"url": "https://github.com/grafana/grafana/releases/tag/v7.5.13"
},
{
"name": "https://github.com/grafana/grafana/releases/tag/v8.3.4",
"refsource": "MISC",
"url": "https://github.com/grafana/grafana/releases/tag/v8.3.4"
},
{
"name": "https://security.netapp.com/advisory/ntap-20220303-0004/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20220303-0004/"
},
{
"name": "FEDORA-2022-83405f9d5b",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HLAQRRGNSO5MYCPAXGPH2OCSHOGHSQMQ/"
},
{
"name": "FEDORA-2022-9dd03cab55",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2PFW6Q2LXXWTFRTMTRN4ZGADFRQPKJ3D/"
},
{
"name": "FEDORA-2022-c5383675d9",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/36GUEPA5TPSC57DZTPYPBL6T7UPQ2FRH/"
}
]
},
"source": {
"advisory": "GHSA-8wjh-59cw-9xh4",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-21673",
"datePublished": "2022-01-18T21:35:10.000Z",
"dateReserved": "2021-11-16T00:00:00.000Z",
"dateUpdated": "2025-04-23T19:11:00.141Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-2183 (GCVE-0-2023-2183)
Vulnerability from cvelistv5
Published
2023-06-06 18:04
Modified
2025-02-13 16:40
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Grafana is an open-source platform for monitoring and observability.
The option to send a test alert is not available from the user panel UI for users having the Viewer role. It is still possible for a user with the Viewer role to send a test alert using the API as the API does not check access to this function.
This might enable malicious users to abuse the functionality by sending multiple alert messages to e-mail and Slack, spamming users, prepare Phishing attack or block SMTP server.
Users may upgrade to version 9.5.3, 9.4.12, 9.3.15, 9.2.19 and 8.5.26 to receive a fix.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ► | Grafana | Grafana |
Version: 8.0.0 ≤ Version: 9.0.0 ≤ Version: 9.3.0 ≤ Version: 9.4.0 ≤ Version: 9.5.0 ≤ |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:12:20.655Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://grafana.com/security/security-advisories/cve-2023-2183/"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/grafana/bugbounty/security/advisories/GHSA-cvm3-pp2j-chr3"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20230706-0002/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-2183",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-07T16:30:23.268015Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-07T16:30:50.109Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Grafana",
"vendor": "Grafana",
"versions": [
{
"lessThan": "8.5.26",
"status": "affected",
"version": "8.0.0",
"versionType": "semver"
},
{
"lessThan": "9.2.19",
"status": "affected",
"version": "9.0.0",
"versionType": "semver"
},
{
"lessThan": "9.3.15",
"status": "affected",
"version": "9.3.0",
"versionType": "semver"
},
{
"lessThan": "9.4.12",
"status": "affected",
"version": "9.4.0",
"versionType": "semver"
},
{
"lessThan": "9.5.3",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
}
]
},
{
"product": "Grafana Enterprise",
"vendor": "Grafana",
"versions": [
{
"lessThan": "8.5.26",
"status": "affected",
"version": "8.0.0",
"versionType": "semver"
},
{
"lessThan": "9.2.19",
"status": "affected",
"version": "9.0.0",
"versionType": "semver"
},
{
"lessThan": "9.3.15",
"status": "affected",
"version": "9.3.0",
"versionType": "semver"
},
{
"lessThan": "9.4.12",
"status": "affected",
"version": "9.4.0",
"versionType": "semver"
},
{
"lessThan": "9.5.3",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eGrafana is an open-source platform for monitoring and observability. \u003c/p\u003e\u003cp\u003eThe option to send a test alert is not available from the user panel UI for users having the Viewer role. It is still possible for a user with the Viewer role to send a test alert using the API as the API does not check access to this function.\u003c/p\u003e\u003cp\u003eThis might enable malicious users to abuse the functionality by sending multiple alert messages to e-mail and Slack, spamming users, prepare Phishing attack or block SMTP server.\u003c/p\u003e\u003cp\u003eUsers may upgrade to version 9.5.3, 9.4.12, 9.3.15, 9.2.19 and 8.5.26 to receive a fix.\u003c/p\u003e"
}
],
"value": "Grafana is an open-source platform for monitoring and observability. \n\nThe option to send a test alert is not available from the user panel UI for users having the Viewer role. It is still possible for a user with the Viewer role to send a test alert using the API as the API does not check access to this function.\n\nThis might enable malicious users to abuse the functionality by sending multiple alert messages to e-mail and Slack, spamming users, prepare Phishing attack or block SMTP server.\n\nUsers may upgrade to version 9.5.3, 9.4.12, 9.3.15, 9.2.19 and 8.5.26 to receive a fix."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-06T18:06:27.533Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"url": "https://grafana.com/security/security-advisories/cve-2023-2183/"
},
{
"url": "https://github.com/grafana/bugbounty/security/advisories/GHSA-cvm3-pp2j-chr3"
},
{
"url": "https://security.netapp.com/advisory/ntap-20230706-0002/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2023-2183",
"datePublished": "2023-06-06T18:04:26.485Z",
"dateReserved": "2023-04-19T12:11:08.488Z",
"dateUpdated": "2025-02-13T16:40:15.277Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-21713 (GCVE-0-2022-21713)
Vulnerability from cvelistv5
Published
2022-02-08 20:50
Modified
2025-04-23 19:06
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-863 - Incorrect Authorization
Summary
Grafana is an open-source platform for monitoring and observability. Affected versions of Grafana expose multiple API endpoints which do not properly handle user authorization. `/teams/:teamId` will allow an authenticated attacker to view unintended data by querying for the specific team ID, `/teams/:search` will allow an authenticated attacker to search for teams and see the total number of available teams, including for those teams that the user does not have access to, and `/teams/:teamId/members` when editors_can_admin flag is enabled, an authenticated attacker can see unintended data by querying for the specific team ID. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue.
References
| ► | URL | Tags | |||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T02:53:34.831Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/grafana/grafana/pull/45083"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-63g3-9jq3-mccv"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20220303-0005/"
},
{
"name": "FEDORA-2022-83405f9d5b",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HLAQRRGNSO5MYCPAXGPH2OCSHOGHSQMQ/"
},
{
"name": "FEDORA-2022-9dd03cab55",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2PFW6Q2LXXWTFRTMTRN4ZGADFRQPKJ3D/"
},
{
"name": "FEDORA-2022-c5383675d9",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36GUEPA5TPSC57DZTPYPBL6T7UPQ2FRH/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-21713",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T14:11:00.990164Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T19:06:38.430Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "grafana",
"vendor": "grafana",
"versions": [
{
"status": "affected",
"version": "\u003e= 5.0.0-beta1, \u003c 7.5.15"
},
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 8.3.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Grafana is an open-source platform for monitoring and observability. Affected versions of Grafana expose multiple API endpoints which do not properly handle user authorization. `/teams/:teamId` will allow an authenticated attacker to view unintended data by querying for the specific team ID, `/teams/:search` will allow an authenticated attacker to search for teams and see the total number of available teams, including for those teams that the user does not have access to, and `/teams/:teamId/members` when editors_can_admin flag is enabled, an authenticated attacker can see unintended data by querying for the specific team ID. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-07T07:06:33.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/grafana/grafana/pull/45083"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-63g3-9jq3-mccv"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20220303-0005/"
},
{
"name": "FEDORA-2022-83405f9d5b",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HLAQRRGNSO5MYCPAXGPH2OCSHOGHSQMQ/"
},
{
"name": "FEDORA-2022-9dd03cab55",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2PFW6Q2LXXWTFRTMTRN4ZGADFRQPKJ3D/"
},
{
"name": "FEDORA-2022-c5383675d9",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36GUEPA5TPSC57DZTPYPBL6T7UPQ2FRH/"
}
],
"source": {
"advisory": "GHSA-63g3-9jq3-mccv",
"discovery": "UNKNOWN"
},
"title": "Exposure of Sensitive Information in Grafana",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-21713",
"STATE": "PUBLIC",
"TITLE": "Exposure of Sensitive Information in Grafana"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "grafana",
"version": {
"version_data": [
{
"version_value": "\u003e= 5.0.0-beta1, \u003c 7.5.15"
},
{
"version_value": "\u003e= 8.0.0, \u003c 8.3.5"
}
]
}
}
]
},
"vendor_name": "grafana"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Grafana is an open-source platform for monitoring and observability. Affected versions of Grafana expose multiple API endpoints which do not properly handle user authorization. `/teams/:teamId` will allow an authenticated attacker to view unintended data by querying for the specific team ID, `/teams/:search` will allow an authenticated attacker to search for teams and see the total number of available teams, including for those teams that the user does not have access to, and `/teams/:teamId/members` when editors_can_admin flag is enabled, an authenticated attacker can see unintended data by querying for the specific team ID. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-863: Incorrect Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes/",
"refsource": "MISC",
"url": "https://grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes/"
},
{
"name": "https://github.com/grafana/grafana/pull/45083",
"refsource": "MISC",
"url": "https://github.com/grafana/grafana/pull/45083"
},
{
"name": "https://github.com/grafana/grafana/security/advisories/GHSA-63g3-9jq3-mccv",
"refsource": "CONFIRM",
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-63g3-9jq3-mccv"
},
{
"name": "https://security.netapp.com/advisory/ntap-20220303-0005/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20220303-0005/"
},
{
"name": "FEDORA-2022-83405f9d5b",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HLAQRRGNSO5MYCPAXGPH2OCSHOGHSQMQ/"
},
{
"name": "FEDORA-2022-9dd03cab55",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2PFW6Q2LXXWTFRTMTRN4ZGADFRQPKJ3D/"
},
{
"name": "FEDORA-2022-c5383675d9",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/36GUEPA5TPSC57DZTPYPBL6T7UPQ2FRH/"
}
]
},
"source": {
"advisory": "GHSA-63g3-9jq3-mccv",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-21713",
"datePublished": "2022-02-08T20:50:17.000Z",
"dateReserved": "2021-11-16T00:00:00.000Z",
"dateUpdated": "2025-04-23T19:06:38.430Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-1387 (GCVE-0-2023-1387)
Vulnerability from cvelistv5
Published
2023-04-26 13:47
Modified
2025-02-13 16:39
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Grafana is an open-source platform for monitoring and observability.
Starting with the 9.1 branch, Grafana introduced the ability to search for a JWT in the URL query parameter auth_token and use it as the authentication token.
By enabling the "url_login" configuration option (disabled by default), a JWT might be sent to data sources. If an attacker has access to the data source, the leaked token could be used to authenticate to Grafana.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ► | Grafana | Grafana |
Version: 9.1.0 ≤ Version: 9.3.0 ≤ Version: 9.4.0 ≤ |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T05:49:11.313Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://grafana.com/security/security-advisories/cve-2023-1387/"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/grafana/bugbounty/security/advisories/GHSA-5585-m9r5-p86j"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20230609-0003/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-1387",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-31T16:11:53.656123Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-31T16:12:05.145Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Grafana",
"vendor": "Grafana",
"versions": [
{
"lessThan": "9.2.17",
"status": "affected",
"version": "9.1.0",
"versionType": "semver"
},
{
"lessThan": "9.3.13",
"status": "affected",
"version": "9.3.0",
"versionType": "semver"
},
{
"lessThan": "9.5.0",
"status": "affected",
"version": "9.4.0",
"versionType": "semver"
}
]
},
{
"product": "Grafana Enterprise",
"vendor": "Grafana",
"versions": [
{
"lessThan": "9.2.17",
"status": "affected",
"version": "9.1.0",
"versionType": "semver"
},
{
"lessThan": "9.3.13",
"status": "affected",
"version": "9.3.0",
"versionType": "semver"
},
{
"lessThan": "9.5.0",
"status": "affected",
"version": "9.4.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eGrafana is an open-source platform for monitoring and observability. \u003c/p\u003e\u003cp\u003eStarting with the 9.1 branch, Grafana introduced the ability to search for a JWT in the URL query parameter auth_token and use it as the authentication token. \u003c/p\u003e\u003cp\u003eBy enabling the \"url_login\" configuration option (disabled by default), a JWT might be sent to data sources. If an attacker has access to the data source, the leaked token could be used to authenticate to Grafana.\u003c/p\u003e"
}
],
"value": "Grafana is an open-source platform for monitoring and observability. \n\nStarting with the 9.1 branch, Grafana introduced the ability to search for a JWT in the URL query parameter auth_token and use it as the authentication token. \n\nBy enabling the \"url_login\" configuration option (disabled by default), a JWT might be sent to data sources. If an attacker has access to the data source, the leaked token could be used to authenticate to Grafana."
}
],
"impacts": [
{
"capecId": "CAPEC-116",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-116"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-09T07:06:35.623Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"url": "https://grafana.com/security/security-advisories/cve-2023-1387/"
},
{
"url": "https://github.com/grafana/bugbounty/security/advisories/GHSA-5585-m9r5-p86j"
},
{
"url": "https://security.netapp.com/advisory/ntap-20230609-0003/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2023-1387",
"datePublished": "2023-04-26T13:47:16.914Z",
"dateReserved": "2023-03-14T11:11:01.304Z",
"dateUpdated": "2025-02-13T16:39:22.007Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-9264 (GCVE-0-2024-9264)
Vulnerability from cvelistv5
Published
2024-10-18 03:20
Modified
2025-03-14 10:03
Severity ?
9.4 (Critical) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
9.9 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
9.9 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
VLAI Severity ?
EPSS score ?
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Summary
The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are insufficiently sanitized before being passed to `duckdb`, leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or higher permission is capable of executing this attack. The `duckdb` binary must be present in Grafana's $PATH for this attack to function; by default, this binary is not installed in Grafana distributions.
References
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "grafana",
"vendor": "grafana",
"versions": [
{
"lessThan": "11.0.5\\+security-01",
"status": "affected",
"version": "11.0.0",
"versionType": "semver"
},
{
"lessThan": "11.0.6\\+security-01",
"status": "affected",
"version": "11.0.6",
"versionType": "semver"
},
{
"lessThan": "11.1.6\\+security-01",
"status": "affected",
"version": "11.1.0",
"versionType": "semver"
},
{
"lessThan": "11.1.7\\+security-01",
"status": "affected",
"version": "11.1.7",
"versionType": "semver"
},
{
"lessThan": "11.2.1\\+security-01",
"status": "affected",
"version": "11.2.0",
"versionType": "semver"
},
{
"lessThan": "11.2.2\\+security-01",
"status": "affected",
"version": "11.2.2",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-9264",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-31T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-01T03:55:21.947Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-03-14T10:03:06.561Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://security.netapp.com/advisory/ntap-20250314-0007/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/grafana/grafana/",
"defaultStatus": "unaffected",
"product": "Grafana",
"vendor": "Grafana",
"versions": [
{
"changes": [
{
"at": "+security-01",
"status": "unaffected"
}
],
"lessThan": "11.0.5",
"status": "affected",
"version": "11.0.0",
"versionType": "semver"
},
{
"changes": [
{
"at": "+security-01",
"status": "unaffected"
}
],
"lessThan": "11.1.6",
"status": "affected",
"version": "11.1.0",
"versionType": "semver"
},
{
"changes": [
{
"at": "+security-01",
"status": "unaffected"
}
],
"lessThan": "11.2.1",
"status": "affected",
"version": "11.2.0",
"versionType": "semver"
},
{
"changes": [
{
"at": "+security-01",
"status": "unaffected"
}
],
"lessThan": "11.0.6",
"status": "affected",
"version": "11.0.0",
"versionType": "semver"
},
{
"changes": [
{
"at": "+security-01",
"status": "unaffected"
}
],
"lessThan": "11.1.7",
"status": "affected",
"version": "11.1.0",
"versionType": "semver"
},
{
"changes": [
{
"at": "+security-01",
"status": "unaffected"
}
],
"lessThan": "11.2.2",
"status": "affected",
"version": "11.2.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are insufficiently sanitized before being passed to `duckdb`, \u003cspan style=\"background-color: transparent;\"\u003eleading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or higher permission is capable of executing this attack. \u003c/span\u003eThe `duckdb` binary must be present in Grafana\u0027s $PATH for this attack to function; by default, this binary is not installed in Grafana distributions.\u003cbr\u003e"
}
],
"value": "The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are insufficiently sanitized before being passed to `duckdb`, leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or higher permission is capable of executing this attack. The `duckdb` binary must be present in Grafana\u0027s $PATH for this attack to function; by default, this binary is not installed in Grafana distributions."
}
],
"impacts": [
{
"capecId": "CAPEC-242",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-242: Code Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-18T03:20:52.489Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"url": "https://grafana.com/security/security-advisories/cve-2024-9264/"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Grafana SQL Expressions allow for remote code execution",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2024-9264",
"datePublished": "2024-10-18T03:20:52.489Z",
"dateReserved": "2024-09-26T20:15:46.544Z",
"dateUpdated": "2025-03-14T10:03:06.561Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-24812 (GCVE-0-2022-24812)
Vulnerability from cvelistv5
Published
2022-04-12 17:00
Modified
2025-04-23 18:40
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-269 - Improper Privilege Management
Summary
Grafana is an open-source platform for monitoring and observability. When fine-grained access control is enabled and a client uses Grafana API Key to make requests, the permissions for that API Key are cached for 30 seconds for the given organization. Because of the way the cache ID is constructed, the consequent requests with any API Key evaluate to the same permissions as the previous requests. This can lead to an escalation of privileges, when for example a first request is made with Admin permissions, and the second request with different API Key is made with Viewer permissions, the second request will get the cached permissions from the previous Admin, essentially accessing higher privilege than it should. The vulnerability is only impacting Grafana Enterprise when the fine-grained access control beta feature is enabled and there are more than one API Keys in one organization with different roles assigned. All installations after Grafana Enterprise v8.1.0-beta1 should be upgraded as soon as possible. As an alternative, disable fine-grained access control will mitigate the vulnerability.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:20:50.621Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-82gq-xfg3-5j7v"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://grafana.com/blog/2022/04/12/grafana-enterprise-8.4.6-released-with-high-severity-security-fix/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-4-6/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20220519-0005/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-24812",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T15:54:33.764526Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T18:40:31.097Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "grafana",
"vendor": "grafana",
"versions": [
{
"status": "affected",
"version": " \u003e= 8.1.0-beta1, \u003c 8.4.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Grafana is an open-source platform for monitoring and observability. When fine-grained access control is enabled and a client uses Grafana API Key to make requests, the permissions for that API Key are cached for 30 seconds for the given organization. Because of the way the cache ID is constructed, the consequent requests with any API Key evaluate to the same permissions as the previous requests. This can lead to an escalation of privileges, when for example a first request is made with Admin permissions, and the second request with different API Key is made with Viewer permissions, the second request will get the cached permissions from the previous Admin, essentially accessing higher privilege than it should. The vulnerability is only impacting Grafana Enterprise when the fine-grained access control beta feature is enabled and there are more than one API Keys in one organization with different roles assigned. All installations after Grafana Enterprise v8.1.0-beta1 should be upgraded as soon as possible. As an alternative, disable fine-grained access control will mitigate the vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-19T19:06:25.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-82gq-xfg3-5j7v"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://grafana.com/blog/2022/04/12/grafana-enterprise-8.4.6-released-with-high-severity-security-fix/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-4-6/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20220519-0005/"
}
],
"source": {
"advisory": "GHSA-82gq-xfg3-5j7v",
"discovery": "UNKNOWN"
},
"title": "FGAC API Key privilege escalation in Grafana",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-24812",
"STATE": "PUBLIC",
"TITLE": "FGAC API Key privilege escalation in Grafana"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "grafana",
"version": {
"version_data": [
{
"version_value": " \u003e= 8.1.0-beta1, \u003c 8.4.6"
}
]
}
}
]
},
"vendor_name": "grafana"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Grafana is an open-source platform for monitoring and observability. When fine-grained access control is enabled and a client uses Grafana API Key to make requests, the permissions for that API Key are cached for 30 seconds for the given organization. Because of the way the cache ID is constructed, the consequent requests with any API Key evaluate to the same permissions as the previous requests. This can lead to an escalation of privileges, when for example a first request is made with Admin permissions, and the second request with different API Key is made with Viewer permissions, the second request will get the cached permissions from the previous Admin, essentially accessing higher privilege than it should. The vulnerability is only impacting Grafana Enterprise when the fine-grained access control beta feature is enabled and there are more than one API Keys in one organization with different roles assigned. All installations after Grafana Enterprise v8.1.0-beta1 should be upgraded as soon as possible. As an alternative, disable fine-grained access control will mitigate the vulnerability."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-269: Improper Privilege Management"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/grafana/grafana/security/advisories/GHSA-82gq-xfg3-5j7v",
"refsource": "CONFIRM",
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-82gq-xfg3-5j7v"
},
{
"name": "https://grafana.com/blog/2022/04/12/grafana-enterprise-8.4.6-released-with-high-severity-security-fix/",
"refsource": "MISC",
"url": "https://grafana.com/blog/2022/04/12/grafana-enterprise-8.4.6-released-with-high-severity-security-fix/"
},
{
"name": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-4-6/",
"refsource": "MISC",
"url": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-4-6/"
},
{
"name": "https://security.netapp.com/advisory/ntap-20220519-0005/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20220519-0005/"
}
]
},
"source": {
"advisory": "GHSA-82gq-xfg3-5j7v",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-24812",
"datePublished": "2022-04-12T17:00:19.000Z",
"dateReserved": "2022-02-10T00:00:00.000Z",
"dateUpdated": "2025-04-23T18:40:31.097Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-31107 (GCVE-0-2022-31107)
Vulnerability from cvelistv5
Published
2022-07-15 12:30
Modified
2025-04-23 18:01
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-863 - Incorrect Authorization
Summary
Grafana is an open-source platform for monitoring and observability. In versions 5.3 until 9.0.3, 8.5.9, 8.4.10, and 8.3.10, it is possible for a malicious user who has authorization to log into a Grafana instance via a configured OAuth IdP which provides a login name to take over the account of another user in that Grafana instance. This can occur when the malicious user is authorized to log in to Grafana via OAuth, the malicious user's external user id is not already associated with an account in Grafana, the malicious user's email address is not already associated with an account in Grafana, and the malicious user knows the Grafana username of the target user. If these conditions are met, the malicious user can set their username in the OAuth provider to that of the target user, then go through the OAuth flow to log in to Grafana. Due to the way that external and internal user accounts are linked together during login, if the conditions above are all met then the malicious user will be able to log in to the target user's Grafana account. Versions 9.0.3, 8.5.9, 8.4.10, and 8.3.10 contain a patch for this issue. As a workaround, concerned users can disable OAuth login to their Grafana instance, or ensure that all users authorized to log in via OAuth have a corresponding user account in Grafana linked to their email address.
References
| ► | URL | Tags | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T07:11:38.479Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://grafana.com/docs/grafana/next/release-notes/release-notes-8-4-10/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-mx47-6497-3fv2"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://grafana.com/docs/grafana/next/release-notes/release-notes-8-5-9/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://grafana.com/docs/grafana/next/release-notes/release-notes-9-0-3/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20220901-0010/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-31107",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T15:51:22.146345Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T18:01:43.915Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "grafana",
"vendor": "grafana",
"versions": [
{
"status": "affected",
"version": "\u003e= 5.3, \u003c 8.3.10"
},
{
"status": "affected",
"version": "\u003e= 8.4.0, \u003c 8.4.10"
},
{
"status": "affected",
"version": "\u003e= 8.5.0, \u003c 8.5.9"
},
{
"status": "affected",
"version": "\u003e= 9.0.0, \u003c 9.0.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Grafana is an open-source platform for monitoring and observability. In versions 5.3 until 9.0.3, 8.5.9, 8.4.10, and 8.3.10, it is possible for a malicious user who has authorization to log into a Grafana instance via a configured OAuth IdP which provides a login name to take over the account of another user in that Grafana instance. This can occur when the malicious user is authorized to log in to Grafana via OAuth, the malicious user\u0027s external user id is not already associated with an account in Grafana, the malicious user\u0027s email address is not already associated with an account in Grafana, and the malicious user knows the Grafana username of the target user. If these conditions are met, the malicious user can set their username in the OAuth provider to that of the target user, then go through the OAuth flow to log in to Grafana. Due to the way that external and internal user accounts are linked together during login, if the conditions above are all met then the malicious user will be able to log in to the target user\u0027s Grafana account. Versions 9.0.3, 8.5.9, 8.4.10, and 8.3.10 contain a patch for this issue. As a workaround, concerned users can disable OAuth login to their Grafana instance, or ensure that all users authorized to log in via OAuth have a corresponding user account in Grafana linked to their email address."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-01T13:06:35.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://grafana.com/docs/grafana/next/release-notes/release-notes-8-4-10/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-mx47-6497-3fv2"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://grafana.com/docs/grafana/next/release-notes/release-notes-8-5-9/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://grafana.com/docs/grafana/next/release-notes/release-notes-9-0-3/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20220901-0010/"
}
],
"source": {
"advisory": "GHSA-mx47-6497-3fv2",
"discovery": "UNKNOWN"
},
"title": "Grafana account takeover via OAuth vulnerability",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-31107",
"STATE": "PUBLIC",
"TITLE": "Grafana account takeover via OAuth vulnerability"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "grafana",
"version": {
"version_data": [
{
"version_value": "\u003e= 5.3, \u003c 8.3.10"
},
{
"version_value": "\u003e= 8.4.0, \u003c 8.4.10"
},
{
"version_value": "\u003e= 8.5.0, \u003c 8.5.9"
},
{
"version_value": "\u003e= 9.0.0, \u003c 9.0.3"
}
]
}
}
]
},
"vendor_name": "grafana"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Grafana is an open-source platform for monitoring and observability. In versions 5.3 until 9.0.3, 8.5.9, 8.4.10, and 8.3.10, it is possible for a malicious user who has authorization to log into a Grafana instance via a configured OAuth IdP which provides a login name to take over the account of another user in that Grafana instance. This can occur when the malicious user is authorized to log in to Grafana via OAuth, the malicious user\u0027s external user id is not already associated with an account in Grafana, the malicious user\u0027s email address is not already associated with an account in Grafana, and the malicious user knows the Grafana username of the target user. If these conditions are met, the malicious user can set their username in the OAuth provider to that of the target user, then go through the OAuth flow to log in to Grafana. Due to the way that external and internal user accounts are linked together during login, if the conditions above are all met then the malicious user will be able to log in to the target user\u0027s Grafana account. Versions 9.0.3, 8.5.9, 8.4.10, and 8.3.10 contain a patch for this issue. As a workaround, concerned users can disable OAuth login to their Grafana instance, or ensure that all users authorized to log in via OAuth have a corresponding user account in Grafana linked to their email address."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-863: Incorrect Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://grafana.com/docs/grafana/next/release-notes/release-notes-8-4-10/",
"refsource": "MISC",
"url": "https://grafana.com/docs/grafana/next/release-notes/release-notes-8-4-10/"
},
{
"name": "https://github.com/grafana/grafana/security/advisories/GHSA-mx47-6497-3fv2",
"refsource": "CONFIRM",
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-mx47-6497-3fv2"
},
{
"name": "https://grafana.com/docs/grafana/next/release-notes/release-notes-8-5-9/",
"refsource": "MISC",
"url": "https://grafana.com/docs/grafana/next/release-notes/release-notes-8-5-9/"
},
{
"name": "https://grafana.com/docs/grafana/next/release-notes/release-notes-9-0-3/",
"refsource": "MISC",
"url": "https://grafana.com/docs/grafana/next/release-notes/release-notes-9-0-3/"
},
{
"name": "https://security.netapp.com/advisory/ntap-20220901-0010/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20220901-0010/"
}
]
},
"source": {
"advisory": "GHSA-mx47-6497-3fv2",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-31107",
"datePublished": "2022-07-15T12:30:14.000Z",
"dateReserved": "2022-05-18T00:00:00.000Z",
"dateUpdated": "2025-04-23T18:01:43.915Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-35957 (GCVE-0-2022-35957)
Vulnerability from cvelistv5
Published
2022-09-20 00:00
Modified
2025-04-23 16:57
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-290 - Authentication Bypass by Spoofing
Summary
Grafana is an open-source platform for monitoring and observability. Versions prior to 9.1.6 and 8.5.13 are vulnerable to an escalation from admin to server admin when auth proxy is used, allowing an admin to take over the server admin account and gain full control of the grafana instance. All installations should be upgraded as soon as possible. As a workaround deactivate auth proxy following the instructions at: https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/auth-proxy/
References
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:51:59.288Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-ff5c-938w-8c9q"
},
{
"name": "FEDORA-2022-2eb4418018",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WYU5C2RITLHVZSTCWNGQWA6KSPYNXM2H/"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20221215-0001/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-35957",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T15:48:59.770400Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T16:57:04.668Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "grafana",
"vendor": "grafana",
"versions": [
{
"status": "affected",
"version": "\u003e 9.0.0, \u003c 9.1.6"
},
{
"status": "affected",
"version": "\u003c 8.5.13"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Grafana is an open-source platform for monitoring and observability. Versions prior to 9.1.6 and 8.5.13 are vulnerable to an escalation from admin to server admin when auth proxy is used, allowing an admin to take over the server admin account and gain full control of the grafana instance. All installations should be upgraded as soon as possible. As a workaround deactivate auth proxy following the instructions at: https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/auth-proxy/"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-290",
"description": "CWE-290: Authentication Bypass by Spoofing",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-15T00:00:00.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-ff5c-938w-8c9q"
},
{
"name": "FEDORA-2022-2eb4418018",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WYU5C2RITLHVZSTCWNGQWA6KSPYNXM2H/"
},
{
"url": "https://security.netapp.com/advisory/ntap-20221215-0001/"
}
],
"source": {
"advisory": "GHSA-ff5c-938w-8c9q",
"discovery": "UNKNOWN"
},
"title": "Authentication Bypass in Grafana via auth proxy allowing escalation from admin to server admin"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-35957",
"datePublished": "2022-09-20T00:00:00.000Z",
"dateReserved": "2022-07-15T00:00:00.000Z",
"dateUpdated": "2025-04-23T16:57:04.668Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-6322 (GCVE-0-2024-6322)
Vulnerability from cvelistv5
Published
2024-08-20 17:52
Modified
2025-10-30 17:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Access control for plugin data sources protected by the ReqActions json field of the plugin.json is bypassed if the user or service account is granted associated access to any other data source, as the ReqActions check was not scoped to each specific datasource. The account must have prior query access to the impacted datasource.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ► | Grafana | Grafana |
Version: 11.1.0 ≤ Version: 11.1.2 ≤ |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-6322",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-21T13:25:17.993382Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-03T17:04:40.540Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Grafana",
"vendor": "Grafana",
"versions": [
{
"lessThan": "11.1.1",
"status": "affected",
"version": "11.1.0",
"versionType": "semver"
},
{
"lessThan": "11.1.3",
"status": "affected",
"version": "11.1.2",
"versionType": "semver"
}
]
},
{
"product": "Grafana Enterprise",
"vendor": "Grafana",
"versions": [
{
"lessThan": "11.1.1",
"status": "affected",
"version": "11.1.0",
"versionType": "semver"
},
{
"lessThan": "11.1.3",
"status": "affected",
"version": "11.1.2",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Access control for plugin data sources protected by the ReqActions json field of the plugin.json is bypassed if the user or service account is granted associated access to any other data source, as the ReqActions check was not scoped to each specific datasource. The account must have prior query access to the impacted datasource."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:L",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "CWE-266",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-30T17:55:02.115Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"url": "https://grafana.com/security/security-advisories/cve-2024-6322/"
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2024-6322",
"datePublished": "2024-08-20T17:52:06.232Z",
"dateReserved": "2024-06-25T13:25:06.436Z",
"dateUpdated": "2025-10-30T17:55:02.115Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-31130 (GCVE-0-2022-31130)
Vulnerability from cvelistv5
Published
2022-10-13 00:00
Modified
2025-04-23 16:50
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Summary
Grafana is an open source observability and data visualization platform. Versions of Grafana for endpoints prior to 9.1.8 and 8.5.14 could leak authentication tokens to some destination plugins under some conditions. The vulnerability impacts data source and plugin proxy endpoints with authentication tokens. The destination plugin could receive a user's Grafana authentication token. Versions 9.1.8 and 8.5.14 contain a patch for this issue. As a workaround, do not use API keys, JWT authentication, or any HTTP Header based authentication.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T07:11:39.569Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/grafana/grafana/releases/tag/v9.1.8"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-jv32-5578-pxjc"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/grafana/grafana/commit/4dd56e4dabce10007bf4ba1059bf54178c35b177"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/grafana/grafana/commit/9da278c044ba605eb5a1886c48df9a2cb0d3885f"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-31130",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T13:56:27.981418Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T16:50:57.182Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "grafana",
"vendor": "grafana",
"versions": [
{
"status": "affected",
"version": "\u003c 8.5.14"
},
{
"status": "affected",
"version": "\u003e= 9.0.0, \u003c 9.1.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Grafana is an open source observability and data visualization platform. Versions of Grafana for endpoints prior to 9.1.8 and 8.5.14 could leak authentication tokens to some destination plugins under some conditions. The vulnerability impacts data source and plugin proxy endpoints with authentication tokens. The destination plugin could receive a user\u0027s Grafana authentication token. Versions 9.1.8 and 8.5.14 contain a patch for this issue. As a workaround, do not use API keys, JWT authentication, or any HTTP Header based authentication."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-13T00:00:00.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://github.com/grafana/grafana/releases/tag/v9.1.8"
},
{
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-jv32-5578-pxjc"
},
{
"url": "https://github.com/grafana/grafana/commit/4dd56e4dabce10007bf4ba1059bf54178c35b177"
},
{
"url": "https://github.com/grafana/grafana/commit/9da278c044ba605eb5a1886c48df9a2cb0d3885f"
}
],
"source": {
"advisory": "GHSA-jv32-5578-pxjc",
"discovery": "UNKNOWN"
},
"title": "Grafana data source and plugin proxy endpoints leaking authentication tokens to some destination plugins"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-31130",
"datePublished": "2022-10-13T00:00:00.000Z",
"dateReserved": "2022-05-18T00:00:00.000Z",
"dateUpdated": "2025-04-23T16:50:57.182Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-3260 (GCVE-0-2025-3260)
Vulnerability from cvelistv5
Published
2025-06-02 10:06
Modified
2025-06-02 12:14
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
A security vulnerability in the /apis/dashboard.grafana.app/* endpoints allows authenticated users to bypass dashboard and folder permissions. The vulnerability affects all API versions (v0alpha1, v1alpha1, v2alpha1).
Impact:
- Viewers can view all dashboards/folders regardless of permissions
- Editors can view/edit/delete all dashboards/folders regardless of permissions
- Editors can create dashboards in any folder regardless of permissions
- Anonymous users with viewer/editor roles are similarly affected
Organization isolation boundaries remain intact. The vulnerability only affects dashboard access and does not grant access to datasources.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3260",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-02T12:13:45.529554Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-02T12:14:34.036Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Grafana",
"vendor": "Grafana",
"versions": [
{
"lessThan": "11.6.1+security-01",
"status": "affected",
"version": "11.6.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA security vulnerability in the /apis/dashboard.grafana.app/* endpoints allows authenticated users to bypass dashboard and folder permissions. The vulnerability affects all API versions (v0alpha1, v1alpha1, v2alpha1).\u003c/p\u003e\u003cp\u003eImpact:\u003c/p\u003e\u003cp\u003e- Viewers can view all dashboards/folders regardless of permissions\u003c/p\u003e\u003cp\u003e- Editors can view/edit/delete all dashboards/folders regardless of permissions\u003c/p\u003e\u003cp\u003e- Editors can create dashboards in any folder regardless of permissions\u003c/p\u003e\u003cp\u003e- Anonymous users with viewer/editor roles are similarly affected\u003c/p\u003e\u003cp\u003eOrganization isolation boundaries remain intact. The vulnerability only affects dashboard access and does not grant access to datasources.\u003c/p\u003e"
}
],
"value": "A security vulnerability in the /apis/dashboard.grafana.app/* endpoints allows authenticated users to bypass dashboard and folder permissions. The vulnerability affects all API versions (v0alpha1, v1alpha1, v2alpha1).\n\nImpact:\n\n- Viewers can view all dashboards/folders regardless of permissions\n\n- Editors can view/edit/delete all dashboards/folders regardless of permissions\n\n- Editors can create dashboards in any folder regardless of permissions\n\n- Anonymous users with viewer/editor roles are similarly affected\n\nOrganization isolation boundaries remain intact. The vulnerability only affects dashboard access and does not grant access to datasources."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-02T10:06:39.039Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"url": "https://grafana.com/security/security-advisories/CVE-2025-3260/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2025-3260",
"datePublished": "2025-06-02T10:06:39.039Z",
"dateReserved": "2025-04-04T09:06:12.014Z",
"dateUpdated": "2025-06-02T12:14:34.036Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-43813 (GCVE-0-2021-43813)
Vulnerability from cvelistv5
Published
2021-12-10 17:30
Modified
2024-08-04 04:03
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Summary
Grafana is an open-source platform for monitoring and observability. Grafana prior to versions 8.3.2 and 7.5.12 contains a directory traversal vulnerability for fully lowercase or fully uppercase .md files. The vulnerability is limited in scope, and only allows access to files with the extension .md to authenticated users only. Grafana Cloud instances have not been affected by the vulnerability. Users should upgrade to patched versions 8.3.2 or 7.5.12. For users who cannot upgrade, running a reverse proxy in front of Grafana that normalizes the PATH of the request will mitigate the vulnerability. The proxy will have to also be able to handle url encoded paths. Alternatively, for fully lowercase or fully uppercase .md files, users can block /api/plugins/.*/markdown/.* without losing any functionality beyond inlined plugin help text.
References
| ► | URL | Tags | ||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:03:09.012Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-c3q8-26ph-9g2q"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/github/securitylab-vulnerabilities/commit/689fc5d9fd665be4d5bba200a6a433b532172d0f"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/grafana/grafana/commit/fd48aee61e4328aae8d5303a9efd045fa0ca308d"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://grafana.com/blog/2021/12/10/grafana-8.3.2-and-7.5.12-released-with-moderate-severity-security-fix/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-5-12/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-3-2/"
},
{
"name": "[oss-security] 20211210 CVE-2021-43813 and CVE-2021-43815 - Grafana directory traversal for some .md and .csv files",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/12/10/4"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20220107-0006/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "grafana",
"vendor": "grafana",
"versions": [
{
"status": "affected",
"version": "\u003e= 5.0.0, \u003c 7.5.12"
},
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 8.3.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Grafana is an open-source platform for monitoring and observability. Grafana prior to versions 8.3.2 and 7.5.12 contains a directory traversal vulnerability for fully lowercase or fully uppercase .md files. The vulnerability is limited in scope, and only allows access to files with the extension .md to authenticated users only. Grafana Cloud instances have not been affected by the vulnerability. Users should upgrade to patched versions 8.3.2 or 7.5.12. For users who cannot upgrade, running a reverse proxy in front of Grafana that normalizes the PATH of the request will mitigate the vulnerability. The proxy will have to also be able to handle url encoded paths. Alternatively, for fully lowercase or fully uppercase .md files, users can block /api/plugins/.*/markdown/.* without losing any functionality beyond inlined plugin help text."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-07T12:06:27",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-c3q8-26ph-9g2q"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/github/securitylab-vulnerabilities/commit/689fc5d9fd665be4d5bba200a6a433b532172d0f"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/grafana/grafana/commit/fd48aee61e4328aae8d5303a9efd045fa0ca308d"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://grafana.com/blog/2021/12/10/grafana-8.3.2-and-7.5.12-released-with-moderate-severity-security-fix/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-5-12/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-3-2/"
},
{
"name": "[oss-security] 20211210 CVE-2021-43813 and CVE-2021-43815 - Grafana directory traversal for some .md and .csv files",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/12/10/4"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20220107-0006/"
}
],
"source": {
"advisory": "GHSA-c3q8-26ph-9g2q",
"discovery": "UNKNOWN"
},
"title": "Directory Traversal in Grafana",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-43813",
"STATE": "PUBLIC",
"TITLE": "Directory Traversal in Grafana"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "grafana",
"version": {
"version_data": [
{
"version_value": "\u003e= 5.0.0, \u003c 7.5.12"
},
{
"version_value": "\u003e= 8.0.0, \u003c 8.3.2"
}
]
}
}
]
},
"vendor_name": "grafana"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Grafana is an open-source platform for monitoring and observability. Grafana prior to versions 8.3.2 and 7.5.12 contains a directory traversal vulnerability for fully lowercase or fully uppercase .md files. The vulnerability is limited in scope, and only allows access to files with the extension .md to authenticated users only. Grafana Cloud instances have not been affected by the vulnerability. Users should upgrade to patched versions 8.3.2 or 7.5.12. For users who cannot upgrade, running a reverse proxy in front of Grafana that normalizes the PATH of the request will mitigate the vulnerability. The proxy will have to also be able to handle url encoded paths. Alternatively, for fully lowercase or fully uppercase .md files, users can block /api/plugins/.*/markdown/.* without losing any functionality beyond inlined plugin help text."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/grafana/grafana/security/advisories/GHSA-c3q8-26ph-9g2q",
"refsource": "CONFIRM",
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-c3q8-26ph-9g2q"
},
{
"name": "https://github.com/github/securitylab-vulnerabilities/commit/689fc5d9fd665be4d5bba200a6a433b532172d0f",
"refsource": "MISC",
"url": "https://github.com/github/securitylab-vulnerabilities/commit/689fc5d9fd665be4d5bba200a6a433b532172d0f"
},
{
"name": "https://github.com/grafana/grafana/commit/fd48aee61e4328aae8d5303a9efd045fa0ca308d",
"refsource": "MISC",
"url": "https://github.com/grafana/grafana/commit/fd48aee61e4328aae8d5303a9efd045fa0ca308d"
},
{
"name": "https://grafana.com/blog/2021/12/10/grafana-8.3.2-and-7.5.12-released-with-moderate-severity-security-fix/",
"refsource": "MISC",
"url": "https://grafana.com/blog/2021/12/10/grafana-8.3.2-and-7.5.12-released-with-moderate-severity-security-fix/"
},
{
"name": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-5-12/",
"refsource": "MISC",
"url": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-5-12/"
},
{
"name": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-3-2/",
"refsource": "MISC",
"url": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-3-2/"
},
{
"name": "[oss-security] 20211210 CVE-2021-43813 and CVE-2021-43815 - Grafana directory traversal for some .md and .csv files",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/12/10/4"
},
{
"name": "https://security.netapp.com/advisory/ntap-20220107-0006/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20220107-0006/"
}
]
},
"source": {
"advisory": "GHSA-c3q8-26ph-9g2q",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-43813",
"datePublished": "2021-12-10T17:30:12",
"dateReserved": "2021-11-16T00:00:00",
"dateUpdated": "2024-08-04T04:03:09.012Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-22462 (GCVE-0-2023-22462)
Vulnerability from cvelistv5
Published
2023-03-02 00:06
Modified
2025-02-13 16:43
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Grafana is an open-source platform for monitoring and observability. On 2023-01-01 during an internal audit of Grafana, a member of the security team found a stored XSS vulnerability affecting the core plugin "Text". The stored XSS vulnerability requires several user interactions in order to be fully exploited. The vulnerability was possible due to React's render cycle that will pass though the unsanitized HTML code, but in the next cycle the HTML is cleaned up and saved in Grafana's database. An attacker needs to have the Editor role in order to change a Text panel to include JavaScript. Another user needs to edit the same Text panel, and click on "Markdown" or "HTML" for the code to be executed. This means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard. This issue has been patched in versions 9.2.10 and 9.3.4.
References
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:13:48.351Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/grafana/grafana/security/advisories/GHSA-7rqg-hjwc-6mjf",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-7rqg-hjwc-6mjf"
},
{
"name": "https://github.com/grafana/grafana/commit/db83d5f398caffe35c5846cfa7727d1a2a414165",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/grafana/grafana/commit/db83d5f398caffe35c5846cfa7727d1a2a414165"
},
{
"name": "https://grafana.com/blog/2023/02/28/grafana-security-release-new-versions-with-security-fixes-for-cve-2023-0594-cve-2023-0507-and-cve-2023-22462/",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://grafana.com/blog/2023/02/28/grafana-security-release-new-versions-with-security-fixes-for-cve-2023-0594-cve-2023-0507-and-cve-2023-22462/"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20230413-0004/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-22462",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-15T17:15:55.895243Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-15T18:34:16.087Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "grafana",
"vendor": "grafana",
"versions": [
{
"status": "affected",
"version": "\u003e= 9.2, \u003c 9.2.10"
},
{
"status": "affected",
"version": "\u003e= 9.3, \u003c 9.3.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Grafana is an open-source platform for monitoring and observability. On 2023-01-01 during an internal audit of Grafana, a member of the security team found a stored XSS vulnerability affecting the core plugin \"Text\". The stored XSS vulnerability requires several user interactions in order to be fully exploited. The vulnerability was possible due to React\u0027s render cycle that will pass though the unsanitized HTML code, but in the next cycle the HTML is cleaned up and saved in Grafana\u0027s database. An attacker needs to have the Editor role in order to change a Text panel to include JavaScript. Another user needs to edit the same Text panel, and click on \"Markdown\" or \"HTML\" for the code to be executed. This means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard. This issue has been patched in versions 9.2.10 and 9.3.4."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-13T16:06:22.978Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/grafana/grafana/security/advisories/GHSA-7rqg-hjwc-6mjf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-7rqg-hjwc-6mjf"
},
{
"name": "https://github.com/grafana/grafana/commit/db83d5f398caffe35c5846cfa7727d1a2a414165",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/grafana/grafana/commit/db83d5f398caffe35c5846cfa7727d1a2a414165"
},
{
"name": "https://grafana.com/blog/2023/02/28/grafana-security-release-new-versions-with-security-fixes-for-cve-2023-0594-cve-2023-0507-and-cve-2023-22462/",
"tags": [
"x_refsource_MISC"
],
"url": "https://grafana.com/blog/2023/02/28/grafana-security-release-new-versions-with-security-fixes-for-cve-2023-0594-cve-2023-0507-and-cve-2023-22462/"
},
{
"url": "https://security.netapp.com/advisory/ntap-20230413-0004/"
}
],
"source": {
"advisory": "GHSA-7rqg-hjwc-6mjf",
"discovery": "UNKNOWN"
},
"title": "Stored XSS in Grafana Text plugin"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-22462",
"datePublished": "2023-03-02T00:06:59.876Z",
"dateReserved": "2022-12-29T03:00:40.879Z",
"dateUpdated": "2025-02-13T16:43:52.162Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-3580 (GCVE-0-2025-3580)
Vulnerability from cvelistv5
Published
2025-05-23 13:44
Modified
2025-07-17 10:28
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
An access control vulnerability was discovered in Grafana OSS where an Organization administrator could permanently delete the Server administrator account. This vulnerability exists in the DELETE /api/org/users/ endpoint.
The vulnerability can be exploited when:
1. An Organization administrator exists
2. The Server administrator is either:
- Not part of any organization, or
- Part of the same organization as the Organization administrator
Impact:
- Organization administrators can permanently delete Server administrator accounts
- If the only Server administrator is deleted, the Grafana instance becomes unmanageable
- No super-user permissions remain in the system
- Affects all users, organizations, and teams managed in the instance
The vulnerability is particularly serious as it can lead to a complete loss of administrative control over the Grafana instance.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3580",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-23T14:04:27.385036Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-23T14:05:09.480Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Grafana",
"vendor": "Grafana",
"versions": [
{
"lessThan": "12.0.1",
"status": "affected",
"version": "12.0.0",
"versionType": "semver"
},
{
"lessThan": "11.6.2",
"status": "affected",
"version": "11.6.1",
"versionType": "semver"
},
{
"lessThan": "11.5.5",
"status": "affected",
"version": "11.5.4",
"versionType": "semver"
},
{
"lessThan": "11.4.5",
"status": "affected",
"version": "11.4.4",
"versionType": "semver"
},
{
"lessThan": "11.3.7",
"status": "affected",
"version": "11.3.6",
"versionType": "semver"
},
{
"lessThan": "11.2.10",
"status": "affected",
"version": "11.2.9",
"versionType": "semver"
},
{
"lessThan": "10.4.19",
"status": "affected",
"version": "10.4.18",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Saket Pandey"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAn access control vulnerability was discovered in Grafana OSS where an Organization administrator could permanently delete the Server administrator account. This vulnerability exists in the DELETE /api/org/users/ endpoint.\u003c/p\u003e\u003cp\u003eThe vulnerability can be exploited when:\u003c/p\u003e\u003cp\u003e1. An Organization administrator exists\u003c/p\u003e\u003cp\u003e2. The Server administrator is either:\u003c/p\u003e\u003ccode\u003e - Not part of any organization, or\u003c/code\u003e\u003cbr\u003e\u003ccode\u003e - Part of the same organization as the Organization administrator\u003c/code\u003e\u003cbr\u003e\u003cp\u003eImpact:\u003c/p\u003e\u003cp\u003e- Organization administrators can permanently delete Server administrator accounts\u003c/p\u003e\u003cp\u003e- If the only Server administrator is deleted, the Grafana instance becomes unmanageable\u003c/p\u003e\u003cp\u003e- No super-user permissions remain in the system\u003c/p\u003e\u003cp\u003e- Affects all users, organizations, and teams managed in the instance\u003c/p\u003e\u003cp\u003eThe vulnerability is particularly serious as it can lead to a complete loss of administrative control over the Grafana instance.\u003c/p\u003e"
}
],
"value": "An access control vulnerability was discovered in Grafana OSS where an Organization administrator could permanently delete the Server administrator account. This vulnerability exists in the DELETE /api/org/users/ endpoint.\n\nThe vulnerability can be exploited when:\n\n1. An Organization administrator exists\n\n2. The Server administrator is either:\n\n - Not part of any organization, or\n - Part of the same organization as the Organization administrator\nImpact:\n\n- Organization administrators can permanently delete Server administrator accounts\n\n- If the only Server administrator is deleted, the Grafana instance becomes unmanageable\n\n- No super-user permissions remain in the system\n\n- Affects all users, organizations, and teams managed in the instance\n\nThe vulnerability is particularly serious as it can lead to a complete loss of administrative control over the Grafana instance."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-17T10:28:18.011Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://grafana.com/security/security-advisories/cve-2025-3580/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2025-3580",
"datePublished": "2025-05-23T13:44:45.974Z",
"dateReserved": "2025-04-14T10:36:24.956Z",
"dateUpdated": "2025-07-17T10:28:18.011Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-6152 (GCVE-0-2023-6152)
Vulnerability from cvelistv5
Published
2024-02-13 21:38
Modified
2025-02-15 00:10
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
A user changing their email after signing up and verifying it can change it without verification in profile settings.
The configuration option "verify_email_enabled" will only validate email only on sign up.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ► | Grafana | Grafana |
Version: 2.5.0 ≤ Version: 10.0.0 ≤ Version: 10.1.0 ≤ Version: 10.2.0 ≤ Version: 10.3.0 ≤ |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-02-15T00:10:28.890Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://grafana.com/security/security-advisories/cve-2023-6152/"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/grafana/bugbounty/security/advisories/GHSA-3hv4-r2fm-h27f"
},
{
"url": "https://security.netapp.com/advisory/ntap-20250214-0008/"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "grafana",
"vendor": "grafana",
"versions": [
{
"lessThan": "9.5.16",
"status": "affected",
"version": "2.5.0",
"versionType": "custom"
},
{
"lessThan": "10.0.11",
"status": "affected",
"version": "10.0.0",
"versionType": "custom"
},
{
"lessThan": "10.1.7",
"status": "affected",
"version": "10.10",
"versionType": "custom"
},
{
"lessThan": "10.2.4",
"status": "affected",
"version": "10.2.0",
"versionType": "custom"
},
{
"lessThan": "10.3.3",
"status": "affected",
"version": "10.3.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:grafana:grafana_enterprise:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "grafana_enterprise",
"vendor": "grafana",
"versions": [
{
"lessThan": "9.5.16",
"status": "affected",
"version": "2.5.0",
"versionType": "custom"
},
{
"lessThan": "10.0.11",
"status": "affected",
"version": "10.0.0",
"versionType": "custom"
},
{
"lessThan": "10.1.7",
"status": "affected",
"version": "10.10",
"versionType": "custom"
},
{
"lessThan": "10.2.4",
"status": "affected",
"version": "10.2.0",
"versionType": "custom"
},
{
"lessThan": "10.3.3",
"status": "affected",
"version": "10.3.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-6152",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-22T15:42:45.786092Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-22T15:51:56.870Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Grafana",
"vendor": "Grafana",
"versions": [
{
"lessThan": "9.5.16",
"status": "affected",
"version": "2.5.0",
"versionType": "semver"
},
{
"lessThan": "10.0.11",
"status": "affected",
"version": "10.0.0",
"versionType": "semver"
},
{
"lessThan": "10.1.7",
"status": "affected",
"version": "10.1.0",
"versionType": "semver"
},
{
"lessThan": "10.2.4",
"status": "affected",
"version": "10.2.0",
"versionType": "semver"
},
{
"lessThan": "10.3.3",
"status": "affected",
"version": "10.3.0",
"versionType": "semver"
}
]
},
{
"product": "Grafana Enterprise",
"vendor": "Grafana",
"versions": [
{
"lessThan": "9.5.16",
"status": "affected",
"version": "2.5.0",
"versionType": "semver"
},
{
"lessThan": "10.0.11",
"status": "affected",
"version": "10.0.0",
"versionType": "semver"
},
{
"lessThan": "10.1.7",
"status": "affected",
"version": "10.1.0",
"versionType": "semver"
},
{
"lessThan": "10.2.4",
"status": "affected",
"version": "10.2.0",
"versionType": "semver"
},
{
"lessThan": "10.3.3",
"status": "affected",
"version": "10.3.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA user changing their email after signing up and verifying it can change it without verification in profile settings.\u003c/p\u003e\u003cp\u003eThe configuration option \"verify_email_enabled\" will only validate email only on sign up.\u003c/p\u003e"
}
],
"value": "A user changing their email after signing up and verifying it can change it without verification in profile settings.\n\nThe configuration option \"verify_email_enabled\" will only validate email only on sign up.\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-13T21:38:01.404Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"url": "https://grafana.com/security/security-advisories/cve-2023-6152/"
},
{
"url": "https://github.com/grafana/bugbounty/security/advisories/GHSA-3hv4-r2fm-h27f"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2023-6152",
"datePublished": "2024-02-13T21:38:01.404Z",
"dateReserved": "2023-11-15T12:44:28.824Z",
"dateUpdated": "2025-02-15T00:10:28.890Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-23498 (GCVE-0-2022-23498)
Vulnerability from cvelistv5
Published
2023-02-03 21:34
Modified
2025-03-05 19:27
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Summary
Grafana is an open-source platform for monitoring and observability. When datasource query caching is enabled, Grafana caches all headers, including `grafana_session`. As a result, any user that queries a datasource where the caching is enabled can acquire another user’s session. To mitigate the vulnerability you can disable datasource query caching for all datasources. This issue has been patched in versions 9.2.10 and 9.3.4.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:43:46.002Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://security.netapp.com/advisory/ntap-20230309-0007/"
},
{
"name": "https://github.com/grafana/grafana/security/advisories/GHSA-2j8f-6whh-frc8",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-2j8f-6whh-frc8"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-23498",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-05T18:42:19.487478Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-05T19:27:24.444Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "grafana",
"vendor": "grafana",
"versions": [
{
"status": "affected",
"version": "\u003e= 8.3.0-beta1, \u003c 9.2.10"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Grafana is an open-source platform for monitoring and observability. When datasource query caching is enabled, Grafana caches all headers, including `grafana_session`. As a result, any user that queries a datasource where the caching is enabled can acquire another user\u2019s session. To mitigate the vulnerability you can disable datasource query caching for all datasources. This issue has been patched in versions 9.2.10 and 9.3.4.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-03T21:34:58.677Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/grafana/grafana/security/advisories/GHSA-2j8f-6whh-frc8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-2j8f-6whh-frc8"
}
],
"source": {
"advisory": "GHSA-2j8f-6whh-frc8",
"discovery": "UNKNOWN"
},
"title": "When query caching is enabled in Grafana users can query another users session"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-23498",
"datePublished": "2023-02-03T21:34:58.677Z",
"dateReserved": "2022-01-19T21:23:53.768Z",
"dateUpdated": "2025-03-05T19:27:24.444Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-6197 (GCVE-0-2025-6197)
Vulnerability from cvelistv5
Published
2025-07-18 07:48
Modified
2025-07-18 13:46
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
An open redirect vulnerability has been identified in Grafana OSS organization switching functionality.
Prerequisites for exploitation:
- Multiple organizations must exist in the Grafana instance
- Victim must be on a different organization than the one specified in the URL
References
| ► | URL | Tags |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-6197",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-18T13:45:54.505880Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-18T13:46:01.307Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Grafana",
"vendor": "Grafana",
"versions": [
{
"lessThan": "12.0.2+security-01",
"status": "affected",
"version": "12.0.x",
"versionType": "semver"
},
{
"lessThan": "11.6.3+security-01",
"status": "affected",
"version": "11.6.x",
"versionType": "semver"
},
{
"lessThan": "11.5.6+security-01",
"status": "affected",
"version": "11.5.x",
"versionType": "semver"
},
{
"lessThan": "11.4.6+security-01",
"status": "affected",
"version": "11.4.x",
"versionType": "semver"
},
{
"lessThan": "11.3.8+security-01",
"status": "affected",
"version": "11.3.x",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dat Phung"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAn open redirect vulnerability has been identified in Grafana OSS organization switching functionality.\u003cbr\u003e\u003c/p\u003e\u003cp\u003ePrerequisites for exploitation:\u003c/p\u003e\u003cp\u003e- Multiple organizations must exist in the Grafana instance\u003c/p\u003e\u003cp\u003e- Victim must be on a different organization than the one specified in the URL\u003c/p\u003e\u003cp\u003e\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "An open redirect vulnerability has been identified in Grafana OSS organization switching functionality.\n\n\nPrerequisites for exploitation:\n\n- Multiple organizations must exist in the Grafana instance\n\n- Victim must be on a different organization than the one specified in the URL"
}
],
"impacts": [
{
"capecId": "CAPEC-194",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-194"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-18T07:49:16.382Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"name": "Vulnerable code location",
"tags": [
"vendor-advisory"
],
"url": "https://grafana.com/security/security-advisories/cve-2025-6197/"
},
{
"tags": [
"mitigation",
"release-notes"
],
"url": "https://grafana.com/blog/2025/07/17/grafana-security-release-medium-and-high-severity-fixes-for-cve-2025-6197-and-cve-2025-6023/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2025-6197",
"datePublished": "2025-07-18T07:48:22.523Z",
"dateReserved": "2025-06-17T07:22:18.547Z",
"dateUpdated": "2025-07-18T13:46:01.307Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-39324 (GCVE-0-2022-39324)
Vulnerability from cvelistv5
Published
2023-01-27 22:42
Modified
2024-08-03 12:00
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Grafana is an open-source platform for monitoring and observability. Prior to versions 8.5.16 and 9.2.8, malicious user can create a snapshot and arbitrarily choose the `originalUrl` parameter by editing the query, thanks to a web proxy. When another user opens the URL of the snapshot, they will be presented with the regular web interface delivered by the trusted Grafana server. The `Open original dashboard` button no longer points to the to the real original dashboard but to the attacker’s injected URL. This issue is fixed in versions 8.5.16 and 9.2.8.
References
| ► | URL | Tags | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:00:44.040Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://security.netapp.com/advisory/ntap-20230309-0010/"
},
{
"name": "https://github.com/grafana/grafana/security/advisories/GHSA-4724-7jwc-3fpw",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-4724-7jwc-3fpw"
},
{
"name": "https://github.com/grafana/grafana/pull/60232",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/grafana/grafana/pull/60232"
},
{
"name": "https://github.com/grafana/grafana/pull/60256",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/grafana/grafana/pull/60256"
},
{
"name": "https://github.com/grafana/grafana/commit/239888f22983010576bb3a9135a7294e88c0c74a",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/grafana/grafana/commit/239888f22983010576bb3a9135a7294e88c0c74a"
},
{
"name": "https://github.com/grafana/grafana/commit/d7dcea71ea763780dc286792a0afd560bff2985c",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/grafana/grafana/commit/d7dcea71ea763780dc286792a0afd560bff2985c"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-39324",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-01T15:45:24.258579Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-01T15:45:36.804Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "grafana",
"vendor": "grafana",
"versions": [
{
"status": "affected",
"version": "\u003c 8.5.16"
},
{
"status": "affected",
"version": "\u003e= 9.0.0, \u003c 9.2.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Grafana is an open-source platform for monitoring and observability. Prior to versions 8.5.16 and 9.2.8, malicious user can create a snapshot and arbitrarily choose the `originalUrl` parameter by editing the query, thanks to a web proxy. When another user opens the URL of the snapshot, they will be presented with the regular web interface delivered by the trusted Grafana server. The `Open original dashboard` button no longer points to the to the real original dashboard but to the attacker\u2019s injected URL. This issue is fixed in versions 8.5.16 and 9.2.8."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-27T22:42:01.550Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/grafana/grafana/security/advisories/GHSA-4724-7jwc-3fpw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-4724-7jwc-3fpw"
},
{
"name": "https://github.com/grafana/grafana/pull/60232",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/grafana/grafana/pull/60232"
},
{
"name": "https://github.com/grafana/grafana/pull/60256",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/grafana/grafana/pull/60256"
},
{
"name": "https://github.com/grafana/grafana/commit/239888f22983010576bb3a9135a7294e88c0c74a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/grafana/grafana/commit/239888f22983010576bb3a9135a7294e88c0c74a"
},
{
"name": "https://github.com/grafana/grafana/commit/d7dcea71ea763780dc286792a0afd560bff2985c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/grafana/grafana/commit/d7dcea71ea763780dc286792a0afd560bff2985c"
}
],
"source": {
"advisory": "GHSA-4724-7jwc-3fpw",
"discovery": "UNKNOWN"
},
"title": "Grafana vulnerable to spoofing originalUrl of snapshots"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-39324",
"datePublished": "2023-01-27T22:42:01.550Z",
"dateReserved": "2022-09-02T14:16:35.872Z",
"dateUpdated": "2024-08-03T12:00:44.040Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-41244 (GCVE-0-2021-41244)
Vulnerability from cvelistv5
Published
2021-11-15 20:05
Modified
2024-08-04 03:08
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-610 - Externally Controlled Reference to a Resource in Another Sphere
Summary
Grafana is an open-source platform for monitoring and observability. In affected versions when the fine-grained access control beta feature is enabled and there is more than one organization in the Grafana instance admins are able to access users from other organizations. Grafana 8.0 introduced a mechanism which allowed users with the Organization Admin role to list, add, remove, and update users’ roles in other organizations in which they are not an admin. With fine-grained access control enabled, organization admins can list, add, remove and update users' roles in another organization, where they do not have organization admin role. All installations between v8.0 and v8.2.3 that have fine-grained access control beta enabled and more than one organization should be upgraded as soon as possible. If you cannot upgrade, you should turn off the fine-grained access control using a feature flag.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T03:08:31.510Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-mpwp-42x6-4wmx"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://grafana.com/blog/2021/11/15/grafana-8.2.4-released-with-security-fixes/"
},
{
"name": "[oss-security] 20211115 Grafana 8.2.4 released with security fixes",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/11/15/1"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20211223-0001/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "grafana",
"vendor": "grafana",
"versions": [
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 8.2.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Grafana is an open-source platform for monitoring and observability. In affected versions when the fine-grained access control beta feature is enabled and there is more than one organization in the Grafana instance admins are able to access users from other organizations. Grafana 8.0 introduced a mechanism which allowed users with the Organization Admin role to list, add, remove, and update users\u2019 roles in other organizations in which they are not an admin. With fine-grained access control enabled, organization admins can list, add, remove and update users\u0027 roles in another organization, where they do not have organization admin role. All installations between v8.0 and v8.2.3 that have fine-grained access control beta enabled and more than one organization should be upgraded as soon as possible. If you cannot upgrade, you should turn off the fine-grained access control using a feature flag."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-610",
"description": "CWE-610: Externally Controlled Reference to a Resource in Another Sphere",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-12-23T12:07:05",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-mpwp-42x6-4wmx"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://grafana.com/blog/2021/11/15/grafana-8.2.4-released-with-security-fixes/"
},
{
"name": "[oss-security] 20211115 Grafana 8.2.4 released with security fixes",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/11/15/1"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20211223-0001/"
}
],
"source": {
"advisory": "GHSA-mpwp-42x6-4wmx",
"discovery": "UNKNOWN"
},
"title": "Cross organization admin control in Grafana",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-41244",
"STATE": "PUBLIC",
"TITLE": "Cross organization admin control in Grafana"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "grafana",
"version": {
"version_data": [
{
"version_value": "\u003e= 8.0.0, \u003c 8.2.4"
}
]
}
}
]
},
"vendor_name": "grafana"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Grafana is an open-source platform for monitoring and observability. In affected versions when the fine-grained access control beta feature is enabled and there is more than one organization in the Grafana instance admins are able to access users from other organizations. Grafana 8.0 introduced a mechanism which allowed users with the Organization Admin role to list, add, remove, and update users\u2019 roles in other organizations in which they are not an admin. With fine-grained access control enabled, organization admins can list, add, remove and update users\u0027 roles in another organization, where they do not have organization admin role. All installations between v8.0 and v8.2.3 that have fine-grained access control beta enabled and more than one organization should be upgraded as soon as possible. If you cannot upgrade, you should turn off the fine-grained access control using a feature flag."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-610: Externally Controlled Reference to a Resource in Another Sphere"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/grafana/grafana/security/advisories/GHSA-mpwp-42x6-4wmx",
"refsource": "CONFIRM",
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-mpwp-42x6-4wmx"
},
{
"name": "https://grafana.com/blog/2021/11/15/grafana-8.2.4-released-with-security-fixes/",
"refsource": "MISC",
"url": "https://grafana.com/blog/2021/11/15/grafana-8.2.4-released-with-security-fixes/"
},
{
"name": "[oss-security] 20211115 Grafana 8.2.4 released with security fixes",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/11/15/1"
},
{
"name": "https://security.netapp.com/advisory/ntap-20211223-0001/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20211223-0001/"
}
]
},
"source": {
"advisory": "GHSA-mpwp-42x6-4wmx",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-41244",
"datePublished": "2021-11-15T20:05:11",
"dateReserved": "2021-09-15T00:00:00",
"dateUpdated": "2024-08-04T03:08:31.510Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-0507 (GCVE-0-2023-0507)
Vulnerability from cvelistv5
Published
2023-03-01 15:35
Modified
2025-03-07 19:33
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Grafana is an open-source platform for monitoring and observability.
Starting with the 8.1 branch, Grafana had a stored XSS vulnerability affecting the core plugin GeoMap.
The stored XSS vulnerability was possible due to map attributions weren't properly sanitized and allowed arbitrary JavaScript to be executed in the context of the currently authorized user of the Grafana instance.
An attacker needs to have the Editor role in order to change a panel to include a map attribution containing JavaScript.
This means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard.
Users may upgrade to version 8.5.21, 9.2.13 and 9.3.8 to receive a fix.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ► | Grafana | Grafana |
Version: 8.1.0 ≤ Version: 9.0.0 ≤ Version: 9.3.0 ≤ |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T05:17:49.040Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://grafana.com/security/security-advisories/cve-2023-0507/"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20230413-0001/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-0507",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-07T19:32:52.241575Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-07T19:33:21.129Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Grafana",
"vendor": "Grafana",
"versions": [
{
"lessThan": "8.5.21",
"status": "affected",
"version": "8.1.0",
"versionType": "semver"
},
{
"lessThan": "9.2.13",
"status": "affected",
"version": "9.0.0",
"versionType": "semver"
},
{
"lessThan": "9.3.8",
"status": "affected",
"version": "9.3.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Grafana Enterprise",
"vendor": "Grafana",
"versions": [
{
"lessThan": "8.5.21",
"status": "affected",
"version": "8.1.0",
"versionType": "semver"
},
{
"lessThan": "9.2.13",
"status": "affected",
"version": "9.0.0",
"versionType": "semver"
},
{
"lessThan": "9.3.8",
"status": "affected",
"version": "9.3.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eGrafana is an open-source platform for monitoring and observability. \u003c/p\u003e\u003cp\u003eStarting with the 8.1 branch, Grafana had a stored XSS vulnerability affecting the core plugin GeoMap. \u003c/p\u003e\u003cp\u003eThe stored XSS vulnerability was possible due to map attributions weren\u0027t properly sanitized and allowed arbitrary JavaScript to be executed in the context of the currently authorized user of the Grafana instance. \u003c/p\u003e\u003cp\u003eAn attacker needs to have the Editor role in order to change a panel to include a map attribution containing JavaScript. \u003c/p\u003e\u003cp\u003eThis means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard. \u003c/p\u003e\u003cp\u003eUsers may upgrade to version 8.5.21, 9.2.13 and 9.3.8 to receive a fix. \u003c/p\u003e"
}
],
"value": "Grafana is an open-source platform for monitoring and observability. \n\nStarting with the 8.1 branch, Grafana had a stored XSS vulnerability affecting the core plugin GeoMap. \n\nThe stored XSS vulnerability was possible due to map attributions weren\u0027t properly sanitized and allowed arbitrary JavaScript to be executed in the context of the currently authorized user of the Grafana instance. \n\nAn attacker needs to have the Editor role in order to change a panel to include a map attribution containing JavaScript. \n\nThis means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard. \n\nUsers may upgrade to version 8.5.21, 9.2.13 and 9.3.8 to receive a fix."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-13T16:06:25.719Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"url": "https://grafana.com/security/security-advisories/cve-2023-0507/"
},
{
"url": "https://security.netapp.com/advisory/ntap-20230413-0001/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2023-0507",
"datePublished": "2023-03-01T15:35:55.259Z",
"dateReserved": "2023-01-25T15:05:48.661Z",
"dateUpdated": "2025-03-07T19:33:21.129Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-21702 (GCVE-0-2022-21702)
Vulnerability from cvelistv5
Published
2022-02-08 19:40
Modified
2025-04-22 18:22
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Grafana is an open-source platform for monitoring and observability. In affected versions an attacker could serve HTML content thru the Grafana datasource or plugin proxy and trick a user to visit this HTML page using a specially crafted link and execute a Cross-site Scripting (XSS) attack. The attacker could either compromise an existing datasource for a specific Grafana instance or either set up its own public service and instruct anyone to set it up in their Grafana instance. To be impacted, all of the following must be applicable. For the data source proxy: A Grafana HTTP-based datasource configured with Server as Access Mode and a URL set, the attacker has to be in control of the HTTP server serving the URL of above datasource, and a specially crafted link pointing at the attacker controlled data source must be clicked on by an authenticated user. For the plugin proxy: A Grafana HTTP-based app plugin configured and enabled with a URL set, the attacker has to be in control of the HTTP server serving the URL of above app, and a specially crafted link pointing at the attacker controlled plugin must be clocked on by an authenticated user. For the backend plugin resource: An attacker must be able to navigate an authenticated user to a compromised plugin through a crafted link. Users are advised to update to a patched version. There are no known workarounds for this vulnerability.
References
| ► | URL | Tags | |||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T02:53:34.846Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-xc3p-28hw-q24g"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/grafana/grafana/commit/27726868b3d7c613844b55cd209ca93645c99b85"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20220303-0005/"
},
{
"name": "FEDORA-2022-83405f9d5b",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HLAQRRGNSO5MYCPAXGPH2OCSHOGHSQMQ/"
},
{
"name": "FEDORA-2022-9dd03cab55",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2PFW6Q2LXXWTFRTMTRN4ZGADFRQPKJ3D/"
},
{
"name": "FEDORA-2022-c5383675d9",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36GUEPA5TPSC57DZTPYPBL6T7UPQ2FRH/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-21702",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-22T15:49:44.646427Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-22T18:22:39.255Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "grafana",
"vendor": "grafana",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.0.0-beta1, \u003c 7.5.15"
},
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 8.3.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Grafana is an open-source platform for monitoring and observability. In affected versions an attacker could serve HTML content thru the Grafana datasource or plugin proxy and trick a user to visit this HTML page using a specially crafted link and execute a Cross-site Scripting (XSS) attack. The attacker could either compromise an existing datasource for a specific Grafana instance or either set up its own public service and instruct anyone to set it up in their Grafana instance. To be impacted, all of the following must be applicable. For the data source proxy: A Grafana HTTP-based datasource configured with Server as Access Mode and a URL set, the attacker has to be in control of the HTTP server serving the URL of above datasource, and a specially crafted link pointing at the attacker controlled data source must be clicked on by an authenticated user. For the plugin proxy: A Grafana HTTP-based app plugin configured and enabled with a URL set, the attacker has to be in control of the HTTP server serving the URL of above app, and a specially crafted link pointing at the attacker controlled plugin must be clocked on by an authenticated user. For the backend plugin resource: An attacker must be able to navigate an authenticated user to a compromised plugin through a crafted link. Users are advised to update to a patched version. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-07T07:06:28.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-xc3p-28hw-q24g"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/grafana/grafana/commit/27726868b3d7c613844b55cd209ca93645c99b85"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20220303-0005/"
},
{
"name": "FEDORA-2022-83405f9d5b",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HLAQRRGNSO5MYCPAXGPH2OCSHOGHSQMQ/"
},
{
"name": "FEDORA-2022-9dd03cab55",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2PFW6Q2LXXWTFRTMTRN4ZGADFRQPKJ3D/"
},
{
"name": "FEDORA-2022-c5383675d9",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36GUEPA5TPSC57DZTPYPBL6T7UPQ2FRH/"
}
],
"source": {
"advisory": "GHSA-xc3p-28hw-q24g",
"discovery": "UNKNOWN"
},
"title": "Cross site scripting in Grafana proxy",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-21702",
"STATE": "PUBLIC",
"TITLE": "Cross site scripting in Grafana proxy"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "grafana",
"version": {
"version_data": [
{
"version_value": "\u003e= 2.0.0-beta1, \u003c 7.5.15"
},
{
"version_value": "\u003e= 8.0.0, \u003c 8.3.5"
}
]
}
}
]
},
"vendor_name": "grafana"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Grafana is an open-source platform for monitoring and observability. In affected versions an attacker could serve HTML content thru the Grafana datasource or plugin proxy and trick a user to visit this HTML page using a specially crafted link and execute a Cross-site Scripting (XSS) attack. The attacker could either compromise an existing datasource for a specific Grafana instance or either set up its own public service and instruct anyone to set it up in their Grafana instance. To be impacted, all of the following must be applicable. For the data source proxy: A Grafana HTTP-based datasource configured with Server as Access Mode and a URL set, the attacker has to be in control of the HTTP server serving the URL of above datasource, and a specially crafted link pointing at the attacker controlled data source must be clicked on by an authenticated user. For the plugin proxy: A Grafana HTTP-based app plugin configured and enabled with a URL set, the attacker has to be in control of the HTTP server serving the URL of above app, and a specially crafted link pointing at the attacker controlled plugin must be clocked on by an authenticated user. For the backend plugin resource: An attacker must be able to navigate an authenticated user to a compromised plugin through a crafted link. Users are advised to update to a patched version. There are no known workarounds for this vulnerability."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/grafana/grafana/security/advisories/GHSA-xc3p-28hw-q24g",
"refsource": "CONFIRM",
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-xc3p-28hw-q24g"
},
{
"name": "https://github.com/grafana/grafana/commit/27726868b3d7c613844b55cd209ca93645c99b85",
"refsource": "MISC",
"url": "https://github.com/grafana/grafana/commit/27726868b3d7c613844b55cd209ca93645c99b85"
},
{
"name": "https://grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes/",
"refsource": "MISC",
"url": "https://grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes/"
},
{
"name": "https://security.netapp.com/advisory/ntap-20220303-0005/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20220303-0005/"
},
{
"name": "FEDORA-2022-83405f9d5b",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HLAQRRGNSO5MYCPAXGPH2OCSHOGHSQMQ/"
},
{
"name": "FEDORA-2022-9dd03cab55",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2PFW6Q2LXXWTFRTMTRN4ZGADFRQPKJ3D/"
},
{
"name": "FEDORA-2022-c5383675d9",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/36GUEPA5TPSC57DZTPYPBL6T7UPQ2FRH/"
}
]
},
"source": {
"advisory": "GHSA-xc3p-28hw-q24g",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-21702",
"datePublished": "2022-02-08T19:40:11.000Z",
"dateReserved": "2021-11-16T00:00:00.000Z",
"dateUpdated": "2025-04-22T18:22:39.255Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-41174 (GCVE-0-2021-41174)
Vulnerability from cvelistv5
Published
2021-11-03 18:00
Modified
2024-08-04 02:59
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Grafana is an open-source platform for monitoring and observability. In affected versions if an attacker is able to convince a victim to visit a URL referencing a vulnerable page, arbitrary JavaScript content may be executed within the context of the victim's browser. The user visiting the malicious link must be unauthenticated and the link must be for a page that contains the login button in the menu bar. The url has to be crafted to exploit AngularJS rendering and contain the interpolation binding for AngularJS expressions. AngularJS uses double curly braces for interpolation binding: {{ }} ex: {{constructor.constructor(‘alert(1)’)()}}. When the user follows the link and the page renders, the login button will contain the original link with a query parameter to force a redirect to the login page. The URL is not validated and the AngularJS rendering engine will execute the JavaScript expression contained in the URL. Users are advised to upgrade as soon as possible. If for some reason you cannot upgrade, you can use a reverse proxy or similar to block access to block the literal string {{ in the path.
References
| ► | URL | Tags | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T02:59:31.645Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-3j9m-hcv9-rpj8"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/grafana/grafana/commit/31b78d51c693d828720a5b285107a50e6024c912"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/grafana/grafana/commit/3cb5214fa45eb5a571fd70d6c6edf0d729983f82"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/grafana/grafana/commit/fb85ed691290d211a5baa44d9a641ab137f0de88"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20211125-0003/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "grafana",
"vendor": "grafana",
"versions": [
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 8.2.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Grafana is an open-source platform for monitoring and observability. In affected versions if an attacker is able to convince a victim to visit a URL referencing a vulnerable page, arbitrary JavaScript content may be executed within the context of the victim\u0027s browser. The user visiting the malicious link must be unauthenticated and the link must be for a page that contains the login button in the menu bar. The url has to be crafted to exploit AngularJS rendering and contain the interpolation binding for AngularJS expressions. AngularJS uses double curly braces for interpolation binding: {{ }} ex: {{constructor.constructor(\u2018alert(1)\u2019)()}}. When the user follows the link and the page renders, the login button will contain the original link with a query parameter to force a redirect to the login page. The URL is not validated and the AngularJS rendering engine will execute the JavaScript expression contained in the URL. Users are advised to upgrade as soon as possible. If for some reason you cannot upgrade, you can use a reverse proxy or similar to block access to block the literal string {{ in the path."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-25T06:06:11",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-3j9m-hcv9-rpj8"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/grafana/grafana/commit/31b78d51c693d828720a5b285107a50e6024c912"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/grafana/grafana/commit/3cb5214fa45eb5a571fd70d6c6edf0d729983f82"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/grafana/grafana/commit/fb85ed691290d211a5baa44d9a641ab137f0de88"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20211125-0003/"
}
],
"source": {
"advisory": "GHSA-3j9m-hcv9-rpj8",
"discovery": "UNKNOWN"
},
"title": "XSS vulnerability allowing arbitrary JavaScript execution",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-41174",
"STATE": "PUBLIC",
"TITLE": "XSS vulnerability allowing arbitrary JavaScript execution"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "grafana",
"version": {
"version_data": [
{
"version_value": "\u003e= 8.0.0, \u003c 8.2.3"
}
]
}
}
]
},
"vendor_name": "grafana"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Grafana is an open-source platform for monitoring and observability. In affected versions if an attacker is able to convince a victim to visit a URL referencing a vulnerable page, arbitrary JavaScript content may be executed within the context of the victim\u0027s browser. The user visiting the malicious link must be unauthenticated and the link must be for a page that contains the login button in the menu bar. The url has to be crafted to exploit AngularJS rendering and contain the interpolation binding for AngularJS expressions. AngularJS uses double curly braces for interpolation binding: {{ }} ex: {{constructor.constructor(\u2018alert(1)\u2019)()}}. When the user follows the link and the page renders, the login button will contain the original link with a query parameter to force a redirect to the login page. The URL is not validated and the AngularJS rendering engine will execute the JavaScript expression contained in the URL. Users are advised to upgrade as soon as possible. If for some reason you cannot upgrade, you can use a reverse proxy or similar to block access to block the literal string {{ in the path."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/grafana/grafana/security/advisories/GHSA-3j9m-hcv9-rpj8",
"refsource": "CONFIRM",
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-3j9m-hcv9-rpj8"
},
{
"name": "https://github.com/grafana/grafana/commit/31b78d51c693d828720a5b285107a50e6024c912",
"refsource": "MISC",
"url": "https://github.com/grafana/grafana/commit/31b78d51c693d828720a5b285107a50e6024c912"
},
{
"name": "https://github.com/grafana/grafana/commit/3cb5214fa45eb5a571fd70d6c6edf0d729983f82",
"refsource": "MISC",
"url": "https://github.com/grafana/grafana/commit/3cb5214fa45eb5a571fd70d6c6edf0d729983f82"
},
{
"name": "https://github.com/grafana/grafana/commit/fb85ed691290d211a5baa44d9a641ab137f0de88",
"refsource": "MISC",
"url": "https://github.com/grafana/grafana/commit/fb85ed691290d211a5baa44d9a641ab137f0de88"
},
{
"name": "https://security.netapp.com/advisory/ntap-20211125-0003/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20211125-0003/"
}
]
},
"source": {
"advisory": "GHSA-3j9m-hcv9-rpj8",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-41174",
"datePublished": "2021-11-03T18:00:12",
"dateReserved": "2021-09-15T00:00:00",
"dateUpdated": "2024-08-04T02:59:31.645Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-36062 (GCVE-0-2022-36062)
Vulnerability from cvelistv5
Published
2022-09-22 00:00
Modified
2025-04-23 16:56
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-281 - Improper Preservation of Permissions
Summary
Grafana is an open-source platform for monitoring and observability. In versions prior to 8.5.13, 9.0.9, and 9.1.6, Grafana is subject to Improper Preservation of Permissions resulting in privilege escalation on some folders where Admin is the only used permission. The vulnerability impacts Grafana instances where RBAC was disabled and enabled afterwards, as the migrations which are translating legacy folder permissions to RBAC permissions do not account for the scenario where the only user permission in the folder is Admin, as a result RBAC adds permissions for Editors and Viewers which allow them to edit and view folders accordingly. This issue has been patched in versions 8.5.13, 9.0.9, and 9.1.6. A workaround when the impacted folder/dashboard is known is to remove the additional permissions manually.
References
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:52:00.539Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-p978-56hq-r492"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20221215-0001/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-36062",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T13:57:22.005795Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T16:56:40.959Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "grafana",
"vendor": "grafana",
"versions": [
{
"status": "affected",
"version": "\u003c 8.5.13"
},
{
"status": "affected",
"version": "\u003e= 9.0.0, \u003c 9.0.9"
},
{
"status": "affected",
"version": "\u003e= 9.1.0, \u003c 9.1.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Grafana is an open-source platform for monitoring and observability. In versions prior to 8.5.13, 9.0.9, and 9.1.6, Grafana is subject to Improper Preservation of Permissions resulting in privilege escalation on some folders where Admin is the only used permission. The vulnerability impacts Grafana instances where RBAC was disabled and enabled afterwards, as the migrations which are translating legacy folder permissions to RBAC permissions do not account for the scenario where the only user permission in the folder is Admin, as a result RBAC adds permissions for Editors and Viewers which allow them to edit and view folders accordingly. This issue has been patched in versions 8.5.13, 9.0.9, and 9.1.6. A workaround when the impacted folder/dashboard is known is to remove the additional permissions manually."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-281",
"description": "CWE-281: Improper Preservation of Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-15T00:00:00.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-p978-56hq-r492"
},
{
"url": "https://security.netapp.com/advisory/ntap-20221215-0001/"
}
],
"source": {
"advisory": "GHSA-p978-56hq-r492",
"discovery": "UNKNOWN"
},
"title": "Grafana folders admin only permission privilege escalation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-36062",
"datePublished": "2022-09-22T00:00:00.000Z",
"dateReserved": "2022-07-15T00:00:00.000Z",
"dateUpdated": "2025-04-23T16:56:40.959Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-2801 (GCVE-0-2023-2801)
Vulnerability from cvelistv5
Published
2023-06-06 18:03
Modified
2025-02-13 16:45
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Grafana is an open-source platform for monitoring and observability.
Using public dashboards users can query multiple distinct data sources using mixed queries. However such query has a possibility of crashing a Grafana instance.
The only feature that uses mixed queries at the moment is public dashboards, but it's also possible to cause this by calling the query API directly.
This might enable malicious users to crash Grafana instances through that endpoint.
Users may upgrade to version 9.4.12 and 9.5.3 to receive a fix.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ► | Grafana | Grafana |
Version: 9.4.0 ≤ Version: 9.5.0 ≤ |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:33:05.564Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://grafana.com/security/security-advisories/cve-2023-2801/"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20230706-0002/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-2801",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-07T18:27:46.406382Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-07T18:27:59.835Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Grafana",
"vendor": "Grafana",
"versions": [
{
"lessThan": "9.4.12",
"status": "affected",
"version": "9.4.0",
"versionType": "semver"
},
{
"lessThan": "9.5.3",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
}
]
},
{
"product": "Grafana Enterprise",
"vendor": "Grafana",
"versions": [
{
"lessThan": "9.4.12",
"status": "affected",
"version": "9.4.0",
"versionType": "semver"
},
{
"lessThan": "9.5.3",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eGrafana is an open-source platform for monitoring and observability. \u003c/p\u003e\u003cp\u003eUsing public dashboards users can query multiple distinct data sources using mixed queries. However such query has a possibility of crashing a Grafana instance.\u003c/p\u003e\u003cp\u003eThe only feature that uses mixed queries at the moment is public dashboards, but it\u0027s also possible to cause this by calling the query API directly.\u003c/p\u003e\u003cp\u003eThis might enable malicious users to crash Grafana instances through that endpoint.\u003c/p\u003e\u003cp\u003eUsers may upgrade to version 9.4.12 and 9.5.3 to receive a fix.\u003c/p\u003e"
}
],
"value": "Grafana is an open-source platform for monitoring and observability. \n\nUsing public dashboards users can query multiple distinct data sources using mixed queries. However such query has a possibility of crashing a Grafana instance.\n\nThe only feature that uses mixed queries at the moment is public dashboards, but it\u0027s also possible to cause this by calling the query API directly.\n\nThis might enable malicious users to crash Grafana instances through that endpoint.\n\nUsers may upgrade to version 9.4.12 and 9.5.3 to receive a fix."
}
],
"impacts": [
{
"capecId": "CAPEC-26",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-26"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-820",
"description": "CWE-820",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-06T18:06:29.011Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"url": "https://grafana.com/security/security-advisories/cve-2023-2801/"
},
{
"url": "https://security.netapp.com/advisory/ntap-20230706-0002/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2023-2801",
"datePublished": "2023-06-06T18:03:32.459Z",
"dateReserved": "2023-05-18T16:22:13.573Z",
"dateUpdated": "2025-02-13T16:45:38.503Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-39201 (GCVE-0-2022-39201)
Vulnerability from cvelistv5
Published
2022-10-13 00:00
Modified
2025-04-23 16:50
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Summary
Grafana is an open source observability and data visualization platform. Starting with version 5.0.0-beta1 and prior to versions 8.5.14 and 9.1.8, Grafana could leak the authentication cookie of users to plugins. The vulnerability impacts data source and plugin proxy endpoints under certain conditions. The destination plugin could receive a user's Grafana authentication cookie. Versions 9.1.8 and 8.5.14 contain a patch for this issue. There are no known workarounds.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:00:42.561Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/grafana/grafana/releases/tag/v9.1.8"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-x744-mm8v-vpgr"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/grafana/grafana/commit/b571acc1dc130a33f24742c1f93b93216da6cf57"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/grafana/grafana/commit/c658816f5229d17f877579250c07799d3bbaebc9"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-39201",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T15:47:55.306631Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T16:50:44.284Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "grafana",
"vendor": "grafana",
"versions": [
{
"status": "affected",
"version": "\u003e= v5.0.0-beta1, \u003c 8.5.14"
},
{
"status": "affected",
"version": "\u003e= 9.0.0, \u003c 9.1.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Grafana is an open source observability and data visualization platform. Starting with version 5.0.0-beta1 and prior to versions 8.5.14 and 9.1.8, Grafana could leak the authentication cookie of users to plugins. The vulnerability impacts data source and plugin proxy endpoints under certain conditions. The destination plugin could receive a user\u0027s Grafana authentication cookie. Versions 9.1.8 and 8.5.14 contain a patch for this issue. There are no known workarounds."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-13T00:00:00.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://github.com/grafana/grafana/releases/tag/v9.1.8"
},
{
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-x744-mm8v-vpgr"
},
{
"url": "https://github.com/grafana/grafana/commit/b571acc1dc130a33f24742c1f93b93216da6cf57"
},
{
"url": "https://github.com/grafana/grafana/commit/c658816f5229d17f877579250c07799d3bbaebc9"
}
],
"source": {
"advisory": "GHSA-x744-mm8v-vpgr",
"discovery": "UNKNOWN"
},
"title": "Data source and plugin proxy endpoints could leak the authentication cookie to some destination plugins"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-39201",
"datePublished": "2022-10-13T00:00:00.000Z",
"dateReserved": "2022-09-02T00:00:00.000Z",
"dateUpdated": "2025-04-23T16:50:44.284Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-2703 (GCVE-0-2025-2703)
Vulnerability from cvelistv5
Published
2025-04-23 11:36
Modified
2025-06-10 10:53
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
The built-in XY Chart plugin is vulnerable to a DOM XSS vulnerability.
A user with Editor permissions is able to modify such a panel in order to make it execute arbitrary JavaScript.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ► | Grafana | Grafana |
Version: 11.6.0 ≤ Version: 11.5.0 ≤ Version: 11.4.0 ≤ Version: 11.3.0 ≤ Version: 11.2.0 ≤ |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-2703",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T14:20:27.622977Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T14:20:51.418Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Grafana",
"vendor": "Grafana",
"versions": [
{
"lessThan": "11.6.0+security-01",
"status": "affected",
"version": "11.6.0",
"versionType": "semver"
},
{
"lessThan": "11.5.3+security-01",
"status": "affected",
"version": "11.5.0",
"versionType": "semver"
},
{
"lessThan": "11.4.3+security-01",
"status": "affected",
"version": "11.4.0",
"versionType": "semver"
},
{
"lessThan": "11.3.5+security-01",
"status": "affected",
"version": "11.3.0",
"versionType": "semver"
},
{
"lessThan": "11.2.8+security-01",
"status": "affected",
"version": "11.2.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Grafana Enterprise",
"vendor": "Grafana",
"versions": [
{
"lessThan": "11.6.0+security-01",
"status": "affected",
"version": "11.6.0",
"versionType": "semver"
},
{
"lessThan": "11.5.3+security-01",
"status": "affected",
"version": "11.5.0",
"versionType": "semver"
},
{
"lessThan": "11.4.3+security-01",
"status": "affected",
"version": "11.4.0",
"versionType": "semver"
},
{
"lessThan": "11.3.5+security-01",
"status": "affected",
"version": "11.3.0",
"versionType": "semver"
},
{
"lessThan": "11.2.8+security-01",
"status": "affected",
"version": "11.2.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Paul Gerste (Sonar)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe built-in XY Chart plugin is vulnerable to a DOM XSS vulnerability. \u003c/p\u003e\u003cp\u003eA user with Editor permissions is able to modify such a panel in order to make it execute arbitrary JavaScript.\u003c/p\u003e"
}
],
"value": "The built-in XY Chart plugin is vulnerable to a DOM XSS vulnerability. \n\nA user with Editor permissions is able to modify such a panel in order to make it execute arbitrary JavaScript."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-10T10:53:48.851Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"url": "https://grafana.com/security/security-advisories/cve-2025-2703"
},
{
"url": "https://www.sonarsource.com/blog/data-in-danger-detecting-xss-in-grafana-cve-2025-2703/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2025-2703",
"datePublished": "2025-04-23T11:36:02.852Z",
"dateReserved": "2025-03-24T07:33:46.939Z",
"dateUpdated": "2025-06-10T10:53:48.851Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-39306 (GCVE-0-2022-39306)
Vulnerability from cvelistv5
Published
2022-11-09 00:00
Modified
2025-04-23 16:39
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-20 - Improper Input Validation
Summary
Grafana is an open-source platform for monitoring and observability. Versions prior to 9.2.4, or 8.5.15 on the 8.X branch, are subject to Improper Input Validation. Grafana admins can invite other members to the organization they are an admin for. When admins add members to the organization, non existing users get an email invite, existing members are added directly to the organization. When an invite link is sent, it allows users to sign up with whatever username/email address the user chooses and become a member of the organization. This introduces a vulnerability which can be used with malicious intent. This issue is patched in version 9.2.4, and has been backported to 8.5.15. There are no known workarounds.
References
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:00:44.049Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-2x6g-h2hg-rq84"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20221215-0004/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-39306",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T15:47:04.914301Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T16:39:48.379Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "grafana",
"vendor": "grafana",
"versions": [
{
"status": "affected",
"version": "\u003c 8.5.15"
},
{
"status": "affected",
"version": "\u003e= 9.v9.0.0-beta1, \u003c 9.2.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Grafana is an open-source platform for monitoring and observability. Versions prior to 9.2.4, or 8.5.15 on the 8.X branch, are subject to Improper Input Validation. Grafana admins can invite other members to the organization they are an admin for. When admins add members to the organization, non existing users get an email invite, existing members are added directly to the organization. When an invite link is sent, it allows users to sign up with whatever username/email address the user chooses and become a member of the organization. This introduces a vulnerability which can be used with malicious intent. This issue is patched in version 9.2.4, and has been backported to 8.5.15. There are no known workarounds."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-15T00:00:00.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-2x6g-h2hg-rq84"
},
{
"url": "https://security.netapp.com/advisory/ntap-20221215-0004/"
}
],
"source": {
"advisory": "GHSA-2x6g-h2hg-rq84",
"discovery": "UNKNOWN"
},
"title": "Grafana contains Improper Input Validation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-39306",
"datePublished": "2022-11-09T00:00:00.000Z",
"dateReserved": "2022-09-02T00:00:00.000Z",
"dateUpdated": "2025-04-23T16:39:48.379Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-0594 (GCVE-0-2023-0594)
Vulnerability from cvelistv5
Published
2023-03-01 15:36
Modified
2025-03-07 19:34
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Grafana is an open-source platform for monitoring and observability.
Starting with the 7.0 branch, Grafana had a stored XSS vulnerability in the trace view visualization.
The stored XSS vulnerability was possible due the value of a span's attributes/resources were not properly sanitized and this will be rendered when the span's attributes/resources are expanded.
An attacker needs to have the Editor role in order to change the value of a trace view visualization to contain JavaScript.
This means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard.
Users may upgrade to version 8.5.21, 9.2.13 and 9.3.8 to receive a fix.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ► | Grafana | Grafana |
Version: 7.0.0 ≤ Version: 9.0.0 ≤ Version: 9.3.0 ≤ |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T05:17:50.130Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://security.netapp.com/advisory/ntap-20230331-0007/"
},
{
"tags": [
"x_transferred"
],
"url": "https://grafana.com/security/security-advisories/cve-2023-0594/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-0594",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-07T19:34:05.808035Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-07T19:34:28.387Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Grafana",
"vendor": "Grafana",
"versions": [
{
"lessThan": "8.5.21",
"status": "affected",
"version": "7.0.0",
"versionType": "semver"
},
{
"lessThan": "9.2.13",
"status": "affected",
"version": "9.0.0",
"versionType": "semver"
},
{
"lessThan": "9.3.8",
"status": "affected",
"version": "9.3.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Grafana Enterprise",
"vendor": "Grafana",
"versions": [
{
"lessThan": "8.5.21",
"status": "affected",
"version": "7.0.0",
"versionType": "semver"
},
{
"lessThan": "9.2.13",
"status": "affected",
"version": "9.0.0",
"versionType": "semver"
},
{
"lessThan": "9.3.8",
"status": "affected",
"version": "9.3.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eGrafana is an open-source platform for monitoring and observability. \u003c/p\u003e\u003cp\u003eStarting with the 7.0 branch, Grafana had a stored XSS vulnerability in the trace view visualization. \u003c/p\u003e\u003cp\u003eThe stored XSS vulnerability was possible due the value of a span\u0027s attributes/resources were not properly sanitized and this will be rendered when the span\u0027s attributes/resources are expanded.\u003c/p\u003e\u003cp\u003eAn attacker needs to have the Editor role in order to change the value of a trace view visualization to contain JavaScript. \u003c/p\u003e\u003cp\u003eThis means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard. \u003c/p\u003e\u003cp\u003eUsers may upgrade to version 8.5.21, 9.2.13 and 9.3.8 to receive a fix. \u003c/p\u003e"
}
],
"value": "Grafana is an open-source platform for monitoring and observability. \n\nStarting with the 7.0 branch, Grafana had a stored XSS vulnerability in the trace view visualization. \n\nThe stored XSS vulnerability was possible due the value of a span\u0027s attributes/resources were not properly sanitized and this will be rendered when the span\u0027s attributes/resources are expanded.\n\nAn attacker needs to have the Editor role in order to change the value of a trace view visualization to contain JavaScript. \n\nThis means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard. \n\nUsers may upgrade to version 8.5.21, 9.2.13 and 9.3.8 to receive a fix. \n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-04T10:15:49.096Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"url": "https://grafana.com/security/security-advisories/cve-2023-0594/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2023-0594",
"datePublished": "2023-03-01T15:36:43.881Z",
"dateReserved": "2023-01-31T10:37:31.334Z",
"dateUpdated": "2025-03-07T19:34:28.387Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-39229 (GCVE-0-2022-39229)
Vulnerability from cvelistv5
Published
2022-10-13 00:00
Modified
2025-04-23 16:50
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-287 - Improper Authentication
Summary
Grafana is an open source data visualization platform for metrics, logs, and traces. Versions prior to 9.1.8 and 8.5.14 allow one user to block another user's login attempt by registering someone else'e email address as a username. A Grafana user’s username and email address are unique fields, that means no other user can have the same username or email address as another user. A user can have an email address as a username. However, the login system allows users to log in with either username or email address. Since Grafana allows a user to log in with either their username or email address, this creates an usual behavior where `user_1` can register with one email address and `user_2` can register their username as `user_1`’s email address. This prevents `user_1` logging into the application since `user_1`'s password won’t match with `user_2`'s email address. Versions 9.1.8 and 8.5.14 contain a patch. There are no workarounds for this issue.
References
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:00:43.379Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/grafana/grafana/releases/tag/v9.1.8"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-gj7m-853r-289r"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/grafana/grafana/commit/5644758f0c5ae9955a4e5480d71f9bef57fdce35"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-39229",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T13:56:25.430769Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T16:50:38.466Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "grafana",
"vendor": "grafana",
"versions": [
{
"status": "affected",
"version": "\u003e= 9.0.0, \u003c 9.1.8"
},
{
"status": "affected",
"version": "\u003e= 8.5.0, \u003c 8.5.14"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Grafana is an open source data visualization platform for metrics, logs, and traces. Versions prior to 9.1.8 and 8.5.14 allow one user to block another user\u0027s login attempt by registering someone else\u0027e email address as a username. A Grafana user\u2019s username and email address are unique fields, that means no other user can have the same username or email address as another user. A user can have an email address as a username. However, the login system allows users to log in with either username or email address. Since Grafana allows a user to log in with either their username or email address, this creates an usual behavior where `user_1` can register with one email address and `user_2` can register their username as `user_1`\u2019s email address. This prevents `user_1` logging into the application since `user_1`\u0027s password won\u2019t match with `user_2`\u0027s email address. Versions 9.1.8 and 8.5.14 contain a patch. There are no workarounds for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-13T00:00:00.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://github.com/grafana/grafana/releases/tag/v9.1.8"
},
{
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-gj7m-853r-289r"
},
{
"url": "https://github.com/grafana/grafana/commit/5644758f0c5ae9955a4e5480d71f9bef57fdce35"
}
],
"source": {
"advisory": "GHSA-gj7m-853r-289r",
"discovery": "UNKNOWN"
},
"title": "Grafana users with email as a username can block other users from signing in"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-39229",
"datePublished": "2022-10-13T00:00:00.000Z",
"dateReserved": "2022-09-02T00:00:00.000Z",
"dateUpdated": "2025-04-23T16:50:38.466Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-11741 (GCVE-0-2024-11741)
Vulnerability from cvelistv5
Published
2025-01-31 15:12
Modified
2025-05-09 20:03
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Summary
Grafana is an open-source platform for monitoring and observability.
The Grafana Alerting VictorOps integration was not properly protected and could be exposed to users with Viewer permission.
Fixed in versions 11.5.0, 11.4.1, 11.3.3, 11.2.6, 11.1.11, 11.0.11 and 10.4.15
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-11741",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-31T15:31:59.645050Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-31T15:32:13.294Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-05-09T20:03:33.716Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://security.netapp.com/advisory/ntap-20250509-0006/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Grafana",
"vendor": "Grafana",
"versions": [
{
"lessThan": "11.4.1",
"status": "affected",
"version": "11.4.0",
"versionType": "custom"
},
{
"lessThan": "11.3.3",
"status": "affected",
"version": "11.3.0",
"versionType": "custom"
},
{
"lessThan": "11.2.6",
"status": "affected",
"version": "11.2.0",
"versionType": "custom"
},
{
"lessThan": "11.1.11",
"status": "affected",
"version": "11.1.0",
"versionType": "custom"
},
{
"lessThan": "10.4.15",
"status": "affected",
"version": "10.4.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Grafana is an open-source platform for monitoring and observability. \u003cbr\u003eThe Grafana Alerting VictorOps integration was not properly protected and could be exposed to users with Viewer permission. \u003cbr\u003eFixed in versions 11.5.0, 11.4.1, 11.3.3,\u0026nbsp; 11.2.6, 11.1.11, 11.0.11 and 10.4.15"
}
],
"value": "Grafana is an open-source platform for monitoring and observability. \nThe Grafana Alerting VictorOps integration was not properly protected and could be exposed to users with Viewer permission. \nFixed in versions 11.5.0, 11.4.1, 11.3.3,\u00a0 11.2.6, 11.1.11, 11.0.11 and 10.4.15"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-31T15:12:29.122Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"url": "https://grafana.com/security/security-advisories/cve-2024-11741/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2024-11741",
"datePublished": "2025-01-31T15:12:29.122Z",
"dateReserved": "2024-11-26T13:17:13.248Z",
"dateUpdated": "2025-05-09T20:03:33.716Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-1088 (GCVE-0-2025-1088)
Vulnerability from cvelistv5
Published
2025-06-18 09:54
Modified
2025-10-30 17:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-20 - Improper Input Validation
Summary
In Grafana, an excessively long dashboard title or panel name will cause Chromium browsers to become unresponsive due to Improper Input Validation vulnerability in Grafana.
This issue affects Grafana: before 11.6.2 and is fixed in 11.6.2 and higher.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-1088",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-18T13:27:31.207693Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-18T13:32:38.403Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Grafana",
"vendor": "Grafana",
"versions": [
{
"lessThan": "11.6.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jinay Patel"
},
{
"lang": "en",
"type": "finder",
"value": "Shrey Shah"
}
],
"datePublic": "2025-06-18T09:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Grafana, an excessively long dashboard title or panel name will cause Chromium browsers to become unresponsive due to Improper Input Validation vulnerability in Grafana.\u003cbr\u003eThis issue affects Grafana: before 11.6.2 and is fixed in 11.6.2 and higher."
}
],
"value": "In Grafana, an excessively long dashboard title or panel name will cause Chromium browsers to become unresponsive due to Improper Input Validation vulnerability in Grafana.\nThis issue affects Grafana: before 11.6.2 and is fixed in 11.6.2 and higher."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-30T17:55:04.344Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"url": "https://grafana.com/security/security-advisories/cve-2025-1088/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Very long unicode dashboard title or panel name can hang the frontend",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2025-1088",
"datePublished": "2025-06-18T09:54:30.329Z",
"dateReserved": "2025-02-06T16:20:20.820Z",
"dateUpdated": "2025-10-30T17:55:04.344Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-6023 (GCVE-0-2025-6023)
Vulnerability from cvelistv5
Published
2025-07-18 07:48
Modified
2025-07-18 13:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
An open redirect vulnerability has been identified in Grafana OSS that can be exploited to achieve XSS attacks. The vulnerability was introduced in Grafana v11.5.0.
The open redirect can be chained with path traversal vulnerabilities to achieve XSS.
Fixed in versions 12.0.2+security-01, 11.6.3+security-01, 11.5.6+security-01, 11.4.6+security-01 and 11.3.8+security-01
References
| ► | URL | Tags |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-6023",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-18T13:46:38.999015Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-18T13:46:45.354Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Grafana",
"vendor": "Grafana",
"versions": [
{
"lessThan": "12.0.2+security-01",
"status": "affected",
"version": "12.0.x",
"versionType": "semver"
},
{
"lessThan": "11.6.3+security-01",
"status": "affected",
"version": "11.6.x",
"versionType": "semver"
},
{
"lessThan": "11.5.6+security-01",
"status": "affected",
"version": "11.5.x",
"versionType": "semver"
},
{
"lessThan": "11.4.6+security-01",
"status": "affected",
"version": "11.4.x",
"versionType": "semver"
},
{
"lessThan": "11.3.8+security-01",
"status": "affected",
"version": "11.3.x",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Hoa X. Nguyen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAn open redirect vulnerability has been identified in Grafana OSS that can be exploited to achieve XSS attacks. The vulnerability was introduced in Grafana v11.5.0.\u003c/p\u003e\u003cp\u003eThe open redirect can be chained with path traversal vulnerabilities to achieve XSS.\u003cbr\u003e\u003cbr\u003eFixed in versions 12.0.2+security-01, 11.6.3+security-01, 11.5.6+security-01, 11.4.6+security-01 and 11.3.8+security-01\u003c/p\u003e"
}
],
"value": "An open redirect vulnerability has been identified in Grafana OSS that can be exploited to achieve XSS attacks. The vulnerability was introduced in Grafana v11.5.0.\n\nThe open redirect can be chained with path traversal vulnerabilities to achieve XSS.\n\nFixed in versions 12.0.2+security-01, 11.6.3+security-01, 11.5.6+security-01, 11.4.6+security-01 and 11.3.8+security-01"
}
],
"impacts": [
{
"capecId": "CAPEC-194",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-194"
}
]
},
{
"capecId": "CAPEC-209",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-209"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-18T07:49:54.804Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"name": "Security vulnerability management issue",
"tags": [
"vendor-advisory"
],
"url": "https://grafana.com/security/security-advisories/cve-2025-6023/"
},
{
"tags": [
"release-notes",
"mitigation"
],
"url": "https://grafana.com/blog/2025/07/17/grafana-security-release-medium-and-high-severity-fixes-for-cve-2025-6197-and-cve-2025-6023/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2025-6023",
"datePublished": "2025-07-18T07:48:15.972Z",
"dateReserved": "2025-06-12T07:05:20.773Z",
"dateUpdated": "2025-07-18T13:46:45.354Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-39307 (GCVE-0-2022-39307)
Vulnerability from cvelistv5
Published
2022-11-09 00:00
Modified
2025-04-23 16:39
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Summary
Grafana is an open-source platform for monitoring and observability. When using the forget password on the login page, a POST request is made to the `/api/user/password/sent-reset-email` URL. When the username or email does not exist, a JSON response contains a “user not found” message. This leaks information to unauthenticated users and introduces a security risk. This issue has been patched in 9.2.4 and backported to 8.5.15. There are no known workarounds.
References
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:00:44.036Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-3p62-42x7-gxg5"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20221215-0004/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-39307",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T15:47:00.761938Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T16:39:42.641Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "grafana",
"vendor": "grafana",
"versions": [
{
"status": "affected",
"version": "\u003e= v9.0.0-beta1, \u003c 9.2.4"
},
{
"status": "affected",
"version": "\u003c 8.5.15"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Grafana is an open-source platform for monitoring and observability. When using the forget password on the login page, a POST request is made to the `/api/user/password/sent-reset-email` URL. When the username or email does not exist, a JSON response contains a \u201cuser not found\u201d message. This leaks information to unauthenticated users and introduces a security risk. This issue has been patched in 9.2.4 and backported to 8.5.15. There are no known workarounds."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-15T00:00:00.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-3p62-42x7-gxg5"
},
{
"url": "https://security.netapp.com/advisory/ntap-20221215-0004/"
}
],
"source": {
"advisory": "GHSA-3p62-42x7-gxg5",
"discovery": "UNKNOWN"
},
"title": "Grafana subject to Exposure of Sensitive Information resulting in User enumeration via forget password"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-39307",
"datePublished": "2022-11-09T00:00:00.000Z",
"dateReserved": "2022-09-02T00:00:00.000Z",
"dateUpdated": "2025-04-23T16:39:42.641Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-31097 (GCVE-0-2022-31097)
Vulnerability from cvelistv5
Published
2022-07-15 12:10
Modified
2025-04-23 18:01
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Grafana is an open-source platform for monitoring and observability. Versions on the 8.x and 9.x branch prior to 9.0.3, 8.5.9, 8.4.10, and 8.3.10 are vulnerable to stored cross-site scripting via the Unified Alerting feature of Grafana. An attacker can exploit this vulnerability to escalate privilege from editor to admin by tricking an authenticated admin to click on a link. Versions 9.0.3, 8.5.9, 8.4.10, and 8.3.10 contain a patch. As a workaround, it is possible to disable alerting or use legacy alerting.
References
| ► | URL | Tags | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T07:11:38.469Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-vw7q-p2qg-4m5f"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-9-0-3/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://grafana.com/docs/grafana/next/release-notes/release-notes-8-4-10/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-5-9/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20220901-0010/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-31097",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T15:51:25.770174Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T18:01:50.181Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "grafana",
"vendor": "grafana",
"versions": [
{
"status": "affected",
"version": "\u003e= 9.0.0, \u003c 9.0.3"
},
{
"status": "affected",
"version": "\u003e= 8.5.0, \u003c 8.5.9"
},
{
"status": "affected",
"version": "\u003e= 8.4.0, \u003c 8.4.10"
},
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 8.3.10"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Grafana is an open-source platform for monitoring and observability. Versions on the 8.x and 9.x branch prior to 9.0.3, 8.5.9, 8.4.10, and 8.3.10 are vulnerable to stored cross-site scripting via the Unified Alerting feature of Grafana. An attacker can exploit this vulnerability to escalate privilege from editor to admin by tricking an authenticated admin to click on a link. Versions 9.0.3, 8.5.9, 8.4.10, and 8.3.10 contain a patch. As a workaround, it is possible to disable alerting or use legacy alerting."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-01T13:06:34.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-vw7q-p2qg-4m5f"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-9-0-3/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://grafana.com/docs/grafana/next/release-notes/release-notes-8-4-10/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-5-9/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20220901-0010/"
}
],
"source": {
"advisory": "GHSA-vw7q-p2qg-4m5f",
"discovery": "UNKNOWN"
},
"title": "Stored XSS in Grafana\u0027s Unified Alerting",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-31097",
"STATE": "PUBLIC",
"TITLE": "Stored XSS in Grafana\u0027s Unified Alerting"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "grafana",
"version": {
"version_data": [
{
"version_value": "\u003e= 9.0.0, \u003c 9.0.3"
},
{
"version_value": "\u003e= 8.5.0, \u003c 8.5.9"
},
{
"version_value": "\u003e= 8.4.0, \u003c 8.4.10"
},
{
"version_value": "\u003e= 8.0.0, \u003c 8.3.10"
}
]
}
}
]
},
"vendor_name": "grafana"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Grafana is an open-source platform for monitoring and observability. Versions on the 8.x and 9.x branch prior to 9.0.3, 8.5.9, 8.4.10, and 8.3.10 are vulnerable to stored cross-site scripting via the Unified Alerting feature of Grafana. An attacker can exploit this vulnerability to escalate privilege from editor to admin by tricking an authenticated admin to click on a link. Versions 9.0.3, 8.5.9, 8.4.10, and 8.3.10 contain a patch. As a workaround, it is possible to disable alerting or use legacy alerting."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/grafana/grafana/security/advisories/GHSA-vw7q-p2qg-4m5f",
"refsource": "CONFIRM",
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-vw7q-p2qg-4m5f"
},
{
"name": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-9-0-3/",
"refsource": "MISC",
"url": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-9-0-3/"
},
{
"name": "https://grafana.com/docs/grafana/next/release-notes/release-notes-8-4-10/",
"refsource": "MISC",
"url": "https://grafana.com/docs/grafana/next/release-notes/release-notes-8-4-10/"
},
{
"name": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-5-9/",
"refsource": "MISC",
"url": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-5-9/"
},
{
"name": "https://security.netapp.com/advisory/ntap-20220901-0010/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20220901-0010/"
}
]
},
"source": {
"advisory": "GHSA-vw7q-p2qg-4m5f",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-31097",
"datePublished": "2022-07-15T12:10:10.000Z",
"dateReserved": "2022-05-18T00:00:00.000Z",
"dateUpdated": "2025-04-23T18:01:50.181Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-10452 (GCVE-0-2024-10452)
Vulnerability from cvelistv5
Published
2024-10-29 15:16
Modified
2024-10-29 15:35
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Summary
Organization admins can delete pending invites created in an organization they are not part of.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-10452",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-29T15:35:24.824806Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-29T15:35:35.167Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Grafana",
"vendor": "Grafana",
"versions": [
{
"status": "affected",
"version": "10.4.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Organization admins can delete pending invites created in an organization they are not part of."
}
],
"value": "Organization admins can delete pending invites created in an organization they are not part of."
}
],
"impacts": [
{
"capecId": "CAPEC-109",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-109 Object Relational Mapping Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.2,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-29T15:16:22.405Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"url": "https://grafana.com/security/security-advisories/cve-2024-10452"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2024-10452",
"datePublished": "2024-10-29T15:16:22.405Z",
"dateReserved": "2024-10-28T09:08:31.193Z",
"dateUpdated": "2024-10-29T15:35:35.167Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-3128 (GCVE-0-2023-3128)
Vulnerability from cvelistv5
Published
2023-06-22 20:14
Modified
2025-02-13 16:49
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Grafana is validating Azure AD accounts based on the email claim.
On Azure AD, the profile email field is not unique and can be easily modified.
This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ► | Grafana | Grafana |
Version: 9.5.0 ≤ Version: 9.4.0 ≤ Version: 9.3.0 ≤ Version: 9.2.0 ≤ Version: 6.7.0 ≤ |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:48:07.347Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://grafana.com/security/security-advisories/cve-2023-3128/"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/grafana/bugbounty/security/advisories/GHSA-gxh2-6vvc-rrgp"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20230714-0004/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-3128",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-06T15:26:35.297129Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-06T15:26:43.437Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Grafana",
"vendor": "Grafana",
"versions": [
{
"lessThan": "9.5.4",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"lessThan": "9.4.13",
"status": "affected",
"version": "9.4.0",
"versionType": "semver"
},
{
"lessThan": "9.3.16",
"status": "affected",
"version": "9.3.0",
"versionType": "semver"
},
{
"lessThan": "9.2.20",
"status": "affected",
"version": "9.2.0",
"versionType": "semver"
},
{
"lessThan": "8.5.27",
"status": "affected",
"version": "6.7.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Grafana Enterprise",
"vendor": "Grafana",
"versions": [
{
"lessThan": "9.5.4",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"lessThan": "9.4.13",
"status": "affected",
"version": "9.4.0",
"versionType": "semver"
},
{
"lessThan": "9.3.16",
"status": "affected",
"version": "9.3.0",
"versionType": "semver"
},
{
"lessThan": "9.2.20",
"status": "affected",
"version": "9.2.0",
"versionType": "semver"
},
{
"lessThan": "8.5.27",
"status": "affected",
"version": "6.7.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eGrafana is validating Azure AD accounts based on the email claim. \u003c/p\u003e\u003cp\u003eOn Azure AD, the profile email field is not unique and can be easily modified. \u003c/p\u003e\u003cp\u003eThis leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app. \u003c/p\u003e"
}
],
"value": "Grafana is validating Azure AD accounts based on the email claim. \n\nOn Azure AD, the profile email field is not unique and can be easily modified. \n\nThis leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-290",
"description": "CWE-290",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-18T07:06:14.710Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"url": "https://grafana.com/security/security-advisories/cve-2023-3128/"
},
{
"url": "https://github.com/grafana/bugbounty/security/advisories/GHSA-gxh2-6vvc-rrgp"
},
{
"url": "https://security.netapp.com/advisory/ntap-20230714-0004/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2023-3128",
"datePublished": "2023-06-22T20:14:00.805Z",
"dateReserved": "2023-06-06T15:02:55.259Z",
"dateUpdated": "2025-02-13T16:49:48.654Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-39226 (GCVE-0-2021-39226)
Vulnerability from cvelistv5
Published
2021-10-05 17:30
Modified
2025-10-21 23:25
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-287 - Improper Authentication
Summary
Grafana is an open source data visualization platform. In affected versions unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths: /dashboard/snapshot/:key, or /api/snapshots/:key. If the snapshot "public_mode" configuration setting is set to true (vs default of false), unauthenticated users are able to delete the snapshot with the lowest database key by accessing the literal path: /api/snapshots-delete/:deleteKey. Regardless of the snapshot "public_mode" setting, authenticated users are able to delete the snapshot with the lowest database key by accessing the literal paths: /api/snapshots/:key, or /api/snapshots-delete/:deleteKey. The combination of deletion and viewing enables a complete walk through all snapshot data while resulting in complete snapshot data loss. This issue has been resolved in versions 8.1.6 and 7.5.11. If for some reason you cannot upgrade you can use a reverse proxy or similar to block access to the literal paths: /api/snapshots/:key, /api/snapshots-delete/:deleteKey, /dashboard/snapshot/:key, and /api/snapshots/:key. They have no normal function and can be disabled without side effects.
References
| ► | URL | Tags | ||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:58:18.334Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-69j6-29vr-p3j9"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/grafana/grafana/commit/2d456a6375855364d098ede379438bf7f0667269"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-5-11/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-1-6/"
},
{
"name": "[oss-security] 20211005 CVE-2021-39226 Grafana snapshot authentication bypass",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/10/05/4"
},
{
"name": "FEDORA-2021-dd83dc8b0b",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E6ANHRDBXQT6TURLP2THM26ZPDINFBEG/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20211029-0008/"
},
{
"name": "FEDORA-2021-01588ab0bf",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DCKBFUSY6V4VU5AQUYWKISREZX5NLQJT/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-39226",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-06T19:36:13.338394Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2022-08-25",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-39226"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T23:25:30.669Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-39226"
}
],
"timeline": [
{
"lang": "en",
"time": "2022-08-25T00:00:00+00:00",
"value": "CVE-2021-39226 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "grafana",
"vendor": "grafana",
"versions": [
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 8.1.6"
},
{
"status": "affected",
"version": "\u003c 7.5.11"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Grafana is an open source data visualization platform. In affected versions unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths: /dashboard/snapshot/:key, or /api/snapshots/:key. If the snapshot \"public_mode\" configuration setting is set to true (vs default of false), unauthenticated users are able to delete the snapshot with the lowest database key by accessing the literal path: /api/snapshots-delete/:deleteKey. Regardless of the snapshot \"public_mode\" setting, authenticated users are able to delete the snapshot with the lowest database key by accessing the literal paths: /api/snapshots/:key, or /api/snapshots-delete/:deleteKey. The combination of deletion and viewing enables a complete walk through all snapshot data while resulting in complete snapshot data loss. This issue has been resolved in versions 8.1.6 and 7.5.11. If for some reason you cannot upgrade you can use a reverse proxy or similar to block access to the literal paths: /api/snapshots/:key, /api/snapshots-delete/:deleteKey, /dashboard/snapshot/:key, and /api/snapshots/:key. They have no normal function and can be disabled without side effects."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-30T01:08:52.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-69j6-29vr-p3j9"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/grafana/grafana/commit/2d456a6375855364d098ede379438bf7f0667269"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-5-11/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-1-6/"
},
{
"name": "[oss-security] 20211005 CVE-2021-39226 Grafana snapshot authentication bypass",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/10/05/4"
},
{
"name": "FEDORA-2021-dd83dc8b0b",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E6ANHRDBXQT6TURLP2THM26ZPDINFBEG/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20211029-0008/"
},
{
"name": "FEDORA-2021-01588ab0bf",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DCKBFUSY6V4VU5AQUYWKISREZX5NLQJT/"
}
],
"source": {
"advisory": "GHSA-69j6-29vr-p3j9",
"discovery": "UNKNOWN"
},
"title": " Snapshot authentication bypass in grafana",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-39226",
"STATE": "PUBLIC",
"TITLE": " Snapshot authentication bypass in grafana"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "grafana",
"version": {
"version_data": [
{
"version_value": "\u003e= 8.0.0, \u003c 8.1.6"
},
{
"version_value": "\u003c 7.5.11"
}
]
}
}
]
},
"vendor_name": "grafana"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Grafana is an open source data visualization platform. In affected versions unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths: /dashboard/snapshot/:key, or /api/snapshots/:key. If the snapshot \"public_mode\" configuration setting is set to true (vs default of false), unauthenticated users are able to delete the snapshot with the lowest database key by accessing the literal path: /api/snapshots-delete/:deleteKey. Regardless of the snapshot \"public_mode\" setting, authenticated users are able to delete the snapshot with the lowest database key by accessing the literal paths: /api/snapshots/:key, or /api/snapshots-delete/:deleteKey. The combination of deletion and viewing enables a complete walk through all snapshot data while resulting in complete snapshot data loss. This issue has been resolved in versions 8.1.6 and 7.5.11. If for some reason you cannot upgrade you can use a reverse proxy or similar to block access to the literal paths: /api/snapshots/:key, /api/snapshots-delete/:deleteKey, /dashboard/snapshot/:key, and /api/snapshots/:key. They have no normal function and can be disabled without side effects."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-287: Improper Authentication"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/grafana/grafana/security/advisories/GHSA-69j6-29vr-p3j9",
"refsource": "CONFIRM",
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-69j6-29vr-p3j9"
},
{
"name": "https://github.com/grafana/grafana/commit/2d456a6375855364d098ede379438bf7f0667269",
"refsource": "MISC",
"url": "https://github.com/grafana/grafana/commit/2d456a6375855364d098ede379438bf7f0667269"
},
{
"name": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-5-11/",
"refsource": "MISC",
"url": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-5-11/"
},
{
"name": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-1-6/",
"refsource": "MISC",
"url": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-1-6/"
},
{
"name": "[oss-security] 20211005 CVE-2021-39226 Grafana snapshot authentication bypass",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/10/05/4"
},
{
"name": "FEDORA-2021-dd83dc8b0b",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E6ANHRDBXQT6TURLP2THM26ZPDINFBEG/"
},
{
"name": "https://security.netapp.com/advisory/ntap-20211029-0008/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20211029-0008/"
},
{
"name": "FEDORA-2021-01588ab0bf",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DCKBFUSY6V4VU5AQUYWKISREZX5NLQJT/"
}
]
},
"source": {
"advisory": "GHSA-69j6-29vr-p3j9",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-39226",
"datePublished": "2021-10-05T17:30:11.000Z",
"dateReserved": "2021-08-16T00:00:00.000Z",
"dateUpdated": "2025-10-21T23:25:30.669Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-31123 (GCVE-0-2022-31123)
Vulnerability from cvelistv5
Published
2022-10-13 00:00
Modified
2025-04-23 16:51
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-347 - Improper Verification of Cryptographic Signature
Summary
Grafana is an open source observability and data visualization platform. Versions prior to 9.1.8 and 8.5.14 are vulnerable to a bypass in the plugin signature verification. An attacker can convince a server admin to download and successfully run a malicious plugin even though unsigned plugins are not allowed. Versions 9.1.8 and 8.5.14 contain a patch for this issue. As a workaround, do not install plugins downloaded from untrusted sources.
References
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T07:11:39.205Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-rhxj-gh46-jvw8"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/grafana/grafana/releases/tag/v9.1.8"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20221124-0002/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-31123",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T15:48:01.294118Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T16:51:03.375Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "grafana",
"vendor": "grafana",
"versions": [
{
"status": "affected",
"version": "\u003c 8.5.14"
},
{
"status": "affected",
"version": "\u003e= 9.0.0, \u003c 9.1.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Grafana is an open source observability and data visualization platform. Versions prior to 9.1.8 and 8.5.14 are vulnerable to a bypass in the plugin signature verification. An attacker can convince a server admin to download and successfully run a malicious plugin even though unsigned plugins are not allowed. Versions 9.1.8 and 8.5.14 contain a patch for this issue. As a workaround, do not install plugins downloaded from untrusted sources."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-347",
"description": "CWE-347: Improper Verification of Cryptographic Signature",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-24T00:00:00.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-rhxj-gh46-jvw8"
},
{
"url": "https://github.com/grafana/grafana/releases/tag/v9.1.8"
},
{
"url": "https://security.netapp.com/advisory/ntap-20221124-0002/"
}
],
"source": {
"advisory": "GHSA-rhxj-gh46-jvw8",
"discovery": "UNKNOWN"
},
"title": "Grafana plugin signature bypass vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-31123",
"datePublished": "2022-10-13T00:00:00.000Z",
"dateReserved": "2022-05-18T00:00:00.000Z",
"dateUpdated": "2025-04-23T16:51:03.375Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-39328 (GCVE-0-2022-39328)
Vulnerability from cvelistv5
Published
2022-11-08 00:00
Modified
2025-04-23 16:40
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Summary
Grafana is an open-source platform for monitoring and observability. Versions starting with 9.2.0 and less than 9.2.4 contain a race condition in the authentication middlewares logic which may allow an unauthenticated user to query an administration endpoint under heavy load. This issue is patched in 9.2.4. There are no known workarounds.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:00:44.037Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-vqc4-mpj8-jxch"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20221215-0003/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-39328",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T15:48:17.733991Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T16:40:06.552Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "grafana",
"vendor": "grafana",
"versions": [
{
"status": "affected",
"version": "\u003e= 9.2.0, \u003c 9.2.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Grafana is an open-source platform for monitoring and observability. Versions starting with 9.2.0 and less than 9.2.4 contain a race condition in the authentication middlewares logic which may allow an unauthenticated user to query an administration endpoint under heavy load. This issue is patched in 9.2.4. There are no known workarounds."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-362",
"description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-15T00:00:00.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-vqc4-mpj8-jxch"
},
{
"url": "https://security.netapp.com/advisory/ntap-20221215-0003/"
}
],
"source": {
"advisory": "GHSA-vqc4-mpj8-jxch",
"discovery": "UNKNOWN"
},
"title": "Grafana vulnerable to race condition allowing privilege escalation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-39328",
"datePublished": "2022-11-08T00:00:00.000Z",
"dateReserved": "2022-09-02T00:00:00.000Z",
"dateUpdated": "2025-04-23T16:40:06.552Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-21703 (GCVE-0-2022-21703)
Vulnerability from cvelistv5
Published
2022-02-08 20:40
Modified
2025-04-23 19:06
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Summary
Grafana is an open-source platform for monitoring and observability. Affected versions are subject to a cross site request forgery vulnerability which allows attackers to elevate their privileges by mounting cross-origin attacks against authenticated high-privilege Grafana users (for example, Editors or Admins). An attacker can exploit this vulnerability for privilege escalation by tricking an authenticated user into inviting the attacker as a new user with high privileges. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue.
References
| ► | URL | Tags | |||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T02:53:35.380Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-cmf4-h3xc-jw8w"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/grafana/grafana/pull/45083"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20220303-0005/"
},
{
"name": "FEDORA-2022-83405f9d5b",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HLAQRRGNSO5MYCPAXGPH2OCSHOGHSQMQ/"
},
{
"name": "FEDORA-2022-9dd03cab55",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2PFW6Q2LXXWTFRTMTRN4ZGADFRQPKJ3D/"
},
{
"name": "FEDORA-2022-c5383675d9",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36GUEPA5TPSC57DZTPYPBL6T7UPQ2FRH/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-21703",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T14:11:04.630434Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T19:06:44.591Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "grafana",
"vendor": "grafana",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.0-beta1, \u003c 7.5.15"
},
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 8.3.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Grafana is an open-source platform for monitoring and observability. Affected versions are subject to a cross site request forgery vulnerability which allows attackers to elevate their privileges by mounting cross-origin attacks against authenticated high-privilege Grafana users (for example, Editors or Admins). An attacker can exploit this vulnerability for privilege escalation by tricking an authenticated user into inviting the attacker as a new user with high privileges. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352: Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-07T07:06:31.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-cmf4-h3xc-jw8w"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/grafana/grafana/pull/45083"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20220303-0005/"
},
{
"name": "FEDORA-2022-83405f9d5b",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HLAQRRGNSO5MYCPAXGPH2OCSHOGHSQMQ/"
},
{
"name": "FEDORA-2022-9dd03cab55",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2PFW6Q2LXXWTFRTMTRN4ZGADFRQPKJ3D/"
},
{
"name": "FEDORA-2022-c5383675d9",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36GUEPA5TPSC57DZTPYPBL6T7UPQ2FRH/"
}
],
"source": {
"advisory": "GHSA-cmf4-h3xc-jw8w",
"discovery": "UNKNOWN"
},
"title": "Cross Site Request Forgery in Grafana",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-21703",
"STATE": "PUBLIC",
"TITLE": "Cross Site Request Forgery in Grafana"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "grafana",
"version": {
"version_data": [
{
"version_value": "\u003e= 3.0-beta1, \u003c 7.5.15"
},
{
"version_value": "\u003e= 8.0.0, \u003c 8.3.5"
}
]
}
}
]
},
"vendor_name": "grafana"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Grafana is an open-source platform for monitoring and observability. Affected versions are subject to a cross site request forgery vulnerability which allows attackers to elevate their privileges by mounting cross-origin attacks against authenticated high-privilege Grafana users (for example, Editors or Admins). An attacker can exploit this vulnerability for privilege escalation by tricking an authenticated user into inviting the attacker as a new user with high privileges. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-352: Cross-Site Request Forgery (CSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes/",
"refsource": "MISC",
"url": "https://grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes/"
},
{
"name": "https://github.com/grafana/grafana/security/advisories/GHSA-cmf4-h3xc-jw8w",
"refsource": "CONFIRM",
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-cmf4-h3xc-jw8w"
},
{
"name": "https://github.com/grafana/grafana/pull/45083",
"refsource": "MISC",
"url": "https://github.com/grafana/grafana/pull/45083"
},
{
"name": "https://security.netapp.com/advisory/ntap-20220303-0005/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20220303-0005/"
},
{
"name": "FEDORA-2022-83405f9d5b",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HLAQRRGNSO5MYCPAXGPH2OCSHOGHSQMQ/"
},
{
"name": "FEDORA-2022-9dd03cab55",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2PFW6Q2LXXWTFRTMTRN4ZGADFRQPKJ3D/"
},
{
"name": "FEDORA-2022-c5383675d9",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/36GUEPA5TPSC57DZTPYPBL6T7UPQ2FRH/"
}
]
},
"source": {
"advisory": "GHSA-cmf4-h3xc-jw8w",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-21703",
"datePublished": "2022-02-08T20:40:10.000Z",
"dateReserved": "2021-11-16T00:00:00.000Z",
"dateUpdated": "2025-04-23T19:06:44.591Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-23552 (GCVE-0-2022-23552)
Vulnerability from cvelistv5
Published
2023-01-27 22:59
Modified
2024-08-03 03:43
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Grafana is an open-source platform for monitoring and observability. Starting with the 8.1 branch and prior to versions 8.5.16, 9.2.10, and 9.3.4, Grafana had a stored XSS vulnerability affecting the core plugin GeoMap. The stored XSS vulnerability was possible because SVG files weren't properly sanitized and allowed arbitrary JavaScript to be executed in the context of the currently authorized user of the Grafana instance.
An attacker needs to have the Editor role in order to change a panel to include either an external URL to a SVG-file containing JavaScript, or use the `data:` scheme to load an inline SVG-file containing JavaScript. This means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard.
Users may upgrade to version 8.5.16, 9.2.10, or 9.3.4 to receive a fix.
References
| ► | URL | Tags | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:43:46.570Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://security.netapp.com/advisory/ntap-20230302-0008/"
},
{
"name": "https://github.com/grafana/grafana/security/advisories/GHSA-8xmm-x63g-f6xv",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-8xmm-x63g-f6xv"
},
{
"name": "https://github.com/grafana/grafana/pull/62143",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/grafana/grafana/pull/62143"
},
{
"name": "https://github.com/grafana/grafana/commit/1c8a50b36973bd59a1cc5f34c30de8a9a6a431f0",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/grafana/grafana/commit/1c8a50b36973bd59a1cc5f34c30de8a9a6a431f0"
},
{
"name": "https://github.com/grafana/grafana/commit/8b574e22b53aa4c5a35032a58844fd4aaaa12f5f",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/grafana/grafana/commit/8b574e22b53aa4c5a35032a58844fd4aaaa12f5f"
},
{
"name": "https://github.com/grafana/grafana/commit/c022534e3848a5d45c0b3face23b43aa44e4400a",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/grafana/grafana/commit/c022534e3848a5d45c0b3face23b43aa44e4400a"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-23552",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-01T14:04:19.237399Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-01T14:04:27.841Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "grafana",
"vendor": "grafana",
"versions": [
{
"status": "affected",
"version": "\u003e= 9.0, \u003c 9.2.10"
},
{
"status": "affected",
"version": "\u003e= 9.3, \u003c 9.3.4"
},
{
"status": "affected",
"version": "\u003e= 8.1, \u003c 8.5.16"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Grafana is an open-source platform for monitoring and observability. Starting with the 8.1 branch and prior to versions 8.5.16, 9.2.10, and 9.3.4, Grafana had a stored XSS vulnerability affecting the core plugin GeoMap. The stored XSS vulnerability was possible because SVG files weren\u0027t properly sanitized and allowed arbitrary JavaScript to be executed in the context of the currently authorized user of the Grafana instance. \n\nAn attacker needs to have the Editor role in order to change a panel to include either an external URL to a SVG-file containing JavaScript, or use the `data:` scheme to load an inline SVG-file containing JavaScript. This means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard. \n\nUsers may upgrade to version 8.5.16, 9.2.10, or 9.3.4 to receive a fix."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-27T22:59:16.675Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/grafana/grafana/security/advisories/GHSA-8xmm-x63g-f6xv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-8xmm-x63g-f6xv"
},
{
"name": "https://github.com/grafana/grafana/pull/62143",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/grafana/grafana/pull/62143"
},
{
"name": "https://github.com/grafana/grafana/commit/1c8a50b36973bd59a1cc5f34c30de8a9a6a431f0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/grafana/grafana/commit/1c8a50b36973bd59a1cc5f34c30de8a9a6a431f0"
},
{
"name": "https://github.com/grafana/grafana/commit/8b574e22b53aa4c5a35032a58844fd4aaaa12f5f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/grafana/grafana/commit/8b574e22b53aa4c5a35032a58844fd4aaaa12f5f"
},
{
"name": "https://github.com/grafana/grafana/commit/c022534e3848a5d45c0b3face23b43aa44e4400a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/grafana/grafana/commit/c022534e3848a5d45c0b3face23b43aa44e4400a"
}
],
"source": {
"advisory": "GHSA-8xmm-x63g-f6xv",
"discovery": "UNKNOWN"
},
"title": "Grafana stored XSS in FileUploader component "
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-23552",
"datePublished": "2023-01-27T22:59:16.675Z",
"dateReserved": "2022-01-19T21:23:53.801Z",
"dateUpdated": "2024-08-03T03:43:46.570Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-3415 (GCVE-0-2025-3415)
Vulnerability from cvelistv5
Published
2025-07-17 10:13
Modified
2025-07-17 14:05
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Summary
Grafana is an open-source platform for monitoring and observability. The Grafana Alerting DingDing integration was not properly protected and could be exposed to users with Viewer permission.
Fixed in versions 10.4.19+security-01, 11.2.10+security-01, 11.3.7+security-01, 11.4.5+security-01, 11.5.5+security-01, 11.6.2+security-01 and 12.0.1+security-01
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3415",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-17T14:05:03.257904Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-17T14:05:19.284Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Grafana",
"vendor": "Grafana",
"versions": [
{
"lessThan": "10.4.19+security-01",
"status": "affected",
"version": "10.4.x",
"versionType": "semver"
},
{
"lessThan": "11.2.10+security-01",
"status": "affected",
"version": "11.2.x",
"versionType": "semver"
},
{
"lessThan": "11.3.7+security-01",
"status": "affected",
"version": "11.3.x",
"versionType": "semver"
},
{
"lessThan": "11.4.5+security-01",
"status": "affected",
"version": "11.4.x",
"versionType": "semver"
},
{
"lessThan": "11.5.5+security-01",
"status": "affected",
"version": "11.5.x",
"versionType": "semver"
},
{
"lessThan": "11.6.2+security-01",
"status": "affected",
"version": "11.6.x",
"versionType": "semver"
},
{
"lessThan": "12.0.1+security-01",
"status": "affected",
"version": "12.0.x",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Saurabh Banawar"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Grafana is an open-source platform for monitoring and observability. The Grafana Alerting DingDing integration was not properly protected and could be exposed to users with Viewer permission. \u003cbr\u003eFixed in versions 10.4.19+security-01, 11.2.10+security-01, 11.3.7+security-01, 11.4.5+security-01, 11.5.5+security-01, 11.6.2+security-01 and 12.0.1+security-01"
}
],
"value": "Grafana is an open-source platform for monitoring and observability. The Grafana Alerting DingDing integration was not properly protected and could be exposed to users with Viewer permission. \nFixed in versions 10.4.19+security-01, 11.2.10+security-01, 11.3.7+security-01, 11.4.5+security-01, 11.5.5+security-01, 11.6.2+security-01 and 12.0.1+security-01"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"other": {
"content": {
"Automatable": "No",
"Exploitation": "None",
"Technical Impact": "None",
"Value Density": "Diffused"
},
"type": "SSVCv2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-17T10:30:00.918Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://grafana.com/security/security-advisories/cve-2025-3415"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2025-3415",
"datePublished": "2025-07-17T10:13:14.717Z",
"dateReserved": "2025-04-07T14:28:18.797Z",
"dateUpdated": "2025-07-17T14:05:19.284Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-43798 (GCVE-0-2021-43798)
Vulnerability from cvelistv5
Published
2021-12-07 18:25
Modified
2025-10-21 23:25
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Summary
Grafana is an open-source platform for monitoring and observability. Grafana versions 8.0.0-beta1 through 8.3.0 (except for patched versions) iss vulnerable to directory traversal, allowing access to local files. The vulnerable URL path is: `<grafana_host_url>/public/plugins//`, where is the plugin ID for any installed plugin. At no time has Grafana Cloud been vulnerable. Users are advised to upgrade to patched versions 8.0.7, 8.1.8, 8.2.7, or 8.3.1. The GitHub Security Advisory contains more information about vulnerable URL paths, mitigation, and the disclosure timeline.
References
| ► | URL | Tags | ||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:03:08.797Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-8pjx-jj86-j47p"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/grafana/grafana/commit/c798c0e958d15d9cc7f27c72113d572fa58545ce"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/165198/Grafana-Arbitrary-File-Reading.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://grafana.com/blog/2021/12/08/an-update-on-0day-cve-2021-43798-grafana-directory-traversal/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/165221/Grafana-8.3.0-Directory-Traversal-Arbitrary-File-Read.html"
},
{
"name": "[oss-security] 20211209 CVE-2021-43798 Grafana directory traversal",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/12/09/2"
},
{
"name": "[oss-security] 20211210 CVE-2021-43813 and CVE-2021-43815 - Grafana directory traversal for some .md and .csv files",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/12/10/4"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20211229-0004/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-43798",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-09T03:55:40.438037Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2025-10-09",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-43798"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T23:25:24.009Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-43798"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-10-09T00:00:00+00:00",
"value": "CVE-2021-43798 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "grafana",
"vendor": "grafana",
"versions": [
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 8.0.7"
},
{
"status": "affected",
"version": "\u003e= 8.1.0, \u003c 8.1.8"
},
{
"status": "affected",
"version": "\u003e= 8.2.0, \u003c 8.2.7"
},
{
"status": "affected",
"version": "= 8.3.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Grafana is an open-source platform for monitoring and observability. Grafana versions 8.0.0-beta1 through 8.3.0 (except for patched versions) iss vulnerable to directory traversal, allowing access to local files. The vulnerable URL path is: `\u003cgrafana_host_url\u003e/public/plugins//`, where is the plugin ID for any installed plugin. At no time has Grafana Cloud been vulnerable. Users are advised to upgrade to patched versions 8.0.7, 8.1.8, 8.2.7, or 8.3.1. The GitHub Security Advisory contains more information about vulnerable URL paths, mitigation, and the disclosure timeline."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-12-29T20:06:36.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-8pjx-jj86-j47p"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/grafana/grafana/commit/c798c0e958d15d9cc7f27c72113d572fa58545ce"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/165198/Grafana-Arbitrary-File-Reading.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://grafana.com/blog/2021/12/08/an-update-on-0day-cve-2021-43798-grafana-directory-traversal/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/165221/Grafana-8.3.0-Directory-Traversal-Arbitrary-File-Read.html"
},
{
"name": "[oss-security] 20211209 CVE-2021-43798 Grafana directory traversal",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/12/09/2"
},
{
"name": "[oss-security] 20211210 CVE-2021-43813 and CVE-2021-43815 - Grafana directory traversal for some .md and .csv files",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/12/10/4"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20211229-0004/"
}
],
"source": {
"advisory": "GHSA-8pjx-jj86-j47p",
"discovery": "UNKNOWN"
},
"title": "Grafana path traversal",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-43798",
"STATE": "PUBLIC",
"TITLE": "Grafana path traversal"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "grafana",
"version": {
"version_data": [
{
"version_value": "\u003e= 8.0.0, \u003c 8.0.7"
},
{
"version_value": "\u003e= 8.1.0, \u003c 8.1.8"
},
{
"version_value": "\u003e= 8.2.0, \u003c 8.2.7"
},
{
"version_value": "= 8.3.0"
}
]
}
}
]
},
"vendor_name": "grafana"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Grafana is an open-source platform for monitoring and observability. Grafana versions 8.0.0-beta1 through 8.3.0 (except for patched versions) iss vulnerable to directory traversal, allowing access to local files. The vulnerable URL path is: `\u003cgrafana_host_url\u003e/public/plugins//`, where is the plugin ID for any installed plugin. At no time has Grafana Cloud been vulnerable. Users are advised to upgrade to patched versions 8.0.7, 8.1.8, 8.2.7, or 8.3.1. The GitHub Security Advisory contains more information about vulnerable URL paths, mitigation, and the disclosure timeline."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/grafana/grafana/security/advisories/GHSA-8pjx-jj86-j47p",
"refsource": "CONFIRM",
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-8pjx-jj86-j47p"
},
{
"name": "https://github.com/grafana/grafana/commit/c798c0e958d15d9cc7f27c72113d572fa58545ce",
"refsource": "MISC",
"url": "https://github.com/grafana/grafana/commit/c798c0e958d15d9cc7f27c72113d572fa58545ce"
},
{
"name": "http://packetstormsecurity.com/files/165198/Grafana-Arbitrary-File-Reading.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/165198/Grafana-Arbitrary-File-Reading.html"
},
{
"name": "https://grafana.com/blog/2021/12/08/an-update-on-0day-cve-2021-43798-grafana-directory-traversal/",
"refsource": "CONFIRM",
"url": "https://grafana.com/blog/2021/12/08/an-update-on-0day-cve-2021-43798-grafana-directory-traversal/"
},
{
"name": "http://packetstormsecurity.com/files/165221/Grafana-8.3.0-Directory-Traversal-Arbitrary-File-Read.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/165221/Grafana-8.3.0-Directory-Traversal-Arbitrary-File-Read.html"
},
{
"name": "[oss-security] 20211209 CVE-2021-43798 Grafana directory traversal",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/12/09/2"
},
{
"name": "[oss-security] 20211210 CVE-2021-43813 and CVE-2021-43815 - Grafana directory traversal for some .md and .csv files",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/12/10/4"
},
{
"name": "https://security.netapp.com/advisory/ntap-20211229-0004/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20211229-0004/"
}
]
},
"source": {
"advisory": "GHSA-8pjx-jj86-j47p",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-43798",
"datePublished": "2021-12-07T18:25:10.000Z",
"dateReserved": "2021-11-16T00:00:00.000Z",
"dateUpdated": "2025-10-21T23:25:24.009Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-3454 (GCVE-0-2025-3454)
Vulnerability from cvelistv5
Published
2025-06-02 10:34
Modified
2025-06-02 12:04
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
This vulnerability in Grafana's datasource proxy API allows authorization checks to be bypassed by adding an extra slash character in the URL path.
Users with minimal permissions could gain unauthorized read access to GET endpoints in Alertmanager and Prometheus datasources.
The issue primarily affects datasources that implement route-specific permissions, including Alertmanager and certain Prometheus-based datasources.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ► | Grafana | Grafana |
Version: 11.6.0 ≤ Version: 11.5.0 ≤ Version: 11.4.0 ≤ Version: 11.3.0 ≤ Version: 11.2.0 ≤ Version: 10.4.0 ≤ |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3454",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-02T12:03:59.158063Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-02T12:04:24.348Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Grafana",
"vendor": "Grafana",
"versions": [
{
"lessThan": "11.6.0+security-01",
"status": "affected",
"version": "11.6.0",
"versionType": "semver"
},
{
"lessThan": "11.5.3+security-01",
"status": "affected",
"version": "11.5.0",
"versionType": "semver"
},
{
"lessThan": "11.4.3+security-01",
"status": "affected",
"version": "11.4.0",
"versionType": "semver"
},
{
"lessThan": "11.3.5+security-01",
"status": "affected",
"version": "11.3.0",
"versionType": "semver"
},
{
"lessThan": "11.2.8+security-01",
"status": "affected",
"version": "11.2.0",
"versionType": "semver"
},
{
"lessThan": "10.4.17+security-01",
"status": "affected",
"version": "10.4.0",
"versionType": "semver"
}
]
},
{
"product": "Grafana Enterprise",
"vendor": "Grafana",
"versions": [
{
"lessThan": "11.6.0+security-01",
"status": "affected",
"version": "11.6.0",
"versionType": "semver"
},
{
"lessThan": "11.5.3+security-01",
"status": "affected",
"version": "11.5.0",
"versionType": "semver"
},
{
"lessThan": "11.4.3+security-01",
"status": "affected",
"version": "11.4.0",
"versionType": "semver"
},
{
"lessThan": "11.3.5+security-01",
"status": "affected",
"version": "11.3.0",
"versionType": "semver"
},
{
"lessThan": "11.2.8+security-01",
"status": "affected",
"version": "11.2.0",
"versionType": "semver"
},
{
"lessThan": "10.4.17+security-01",
"status": "affected",
"version": "10.4.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThis vulnerability in Grafana\u0027s datasource proxy API allows authorization checks to be bypassed by adding an extra slash character in the URL path.\u003c/p\u003e\u003cp\u003eUsers with minimal permissions could gain unauthorized read access to GET endpoints in Alertmanager and Prometheus datasources.\u003c/p\u003e\u003cp\u003eThe issue primarily affects datasources that implement route-specific permissions, including Alertmanager and certain Prometheus-based datasources.\u003c/p\u003e"
}
],
"value": "This vulnerability in Grafana\u0027s datasource proxy API allows authorization checks to be bypassed by adding an extra slash character in the URL path.\n\nUsers with minimal permissions could gain unauthorized read access to GET endpoints in Alertmanager and Prometheus datasources.\n\nThe issue primarily affects datasources that implement route-specific permissions, including Alertmanager and certain Prometheus-based datasources."
}
],
"impacts": [
{
"capecId": "CAPEC-129",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-129"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-02T10:34:09.254Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"url": "https://grafana.com/security/security-advisories/cve-2025-3454/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2025-3454",
"datePublished": "2025-06-02T10:34:09.254Z",
"dateReserved": "2025-04-08T20:40:44.631Z",
"dateUpdated": "2025-06-02T12:04:24.348Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}