Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
redosRedosROS-20240404-01
HistoryApr 04, 2024 - 12:00 a.m.

ROS-20240404-01

2024-04-0400:00:00
redos.red-soft.ru
3
authentication bypass
user registration
forgotten password
web page security
svg file security
privilege escalation
user data security
administrator escalation
plugin security
access control flaws

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.6 High

AI Score

Confidence

High

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.003 Low

EPSS

Percentile

67.5%

JSON

A vulnerability in the Grafana web-based data submission tool is related to authentication bypass via
spoofing. Exploitation of the vulnerability could allow an attacker acting remotely to gain full
access to a user’s account

A vulnerability in the Grafana monitoring and surveillance platform is related to the ability for users to
to register with any username/email address the user chooses.
Exploitation of the vulnerability could allow an attacker to bypass existing security restrictions

A vulnerability in the Grafana monitoring and surveillance platform is related to the use of a forgotten password on the login page of the system.
The login page sends a POST request to the URL /api/user/password/sent-reset-email.
Exploitation of the vulnerability could allow an attacker acting remotely to obtain sensitive
data

A vulnerability in the Trace View pane of the Grafana web-based data presentation tool is related to insufficient protection of the web page structure when processing sensitive data.
protection of the web page structure when processing attribute values and range resources. Exploitation
exploitation of the vulnerability could allow a remote attacker to escalate privileges and perform a cross-site scripted attack.
cross-site scripting attacks

A vulnerability in the Grafana monitoring and surveillance platform is related to the presence of SVG files that were not properly cleaned and allowed for cross-site scripting attacks.
properly cleaned and allowed arbitrary JavaScript to be executed in the context of the current
authorized user of a Grafana instance. Exploitation of the vulnerability could allow an attacker,
acting remotely, to perform cross-site scripting (XSS) attacks

A vulnerability in the Grafana monitoring and surveillance platform is related to the registration of someone else’s email address as a username.
email address as a username. Exploitation of the vulnerability could allow an attacker,
acting remotely, to block a login attempt.

A vulnerability in the Grafana monitoring and surveillance platform is related to escalation from administrator to
server administrator when using an authentication proxy. Exploitation of the vulnerability could
allow a remote attacker to gain unauthorized access to information and compromise its integrity and availability.
its integrity and availability

A vulnerability in the Grafana monitoring and surveillance platform is related to the transfer of user authentication cookies to plug-ins.
user authentication cookies to plugins. Exploitation of the vulnerability could allow an attacker acting remotely to access sensitive data and compromise its integrity and availability.
remotely to obtain sensitive data

A vulnerability in Grafana’s web-based data submission tool is related to insufficient cleansing of
of user data. Exploitation of the vulnerability could allow a remote attacker to,
Perform cross-site scripting (XSS) attacks

Grafana monitoring and surveillance platform vulnerability is related to bypassing plugin signature verification.
Exploitation of the vulnerability could allow an attacker acting remotely to install malicious
malware on a vulnerable device

A vulnerability in the Grafana monitoring and surveillance platform is related to passing authentication tokens to some target plugins.
to some target plug-ins. Exploitation of the vulnerability could allow an attacker acting remotely,
obtain sensitive data

A vulnerability in the Grafana web-based data submission tool is related to a lack of protection for proprietary data.
Exploitation of the vulnerability could allow an attacker acting remotely to access the session of
current user

Vulnerability in the program interface of the Grafana web-based presentation tool is related to deficiencies in
access control flaws in endpoint processing. Exploitation of the vulnerability could allow an attacker,
acting remotely, escalate their privileges and conduct phishing attacks by sending customized
crafted e-mail messages

A vulnerability in the Grafana monitoring and surveillance platform involves the creation of a snapshot and arbitrarily
selecting the “originalUrl” parameter by editing the request, thanks to a web proxy. Exploitation of the vulnerability
could allow an attacker acting remotely to inject an injected URL

OSVersionArchitecturePackageVersionFilename
redos7.3x86_64grafana<= 10.3.3-1.1UNKNOWN

Related

nessus 30
openvas 18
osv 31
almalinux 4
oraclelinux 4
redhat 6
freebsd 13
redhatcve 13
altlinux 1
redos 1
veracode 13
ubuntucve 10
alpinelinux 8
cnvd 3
prion 12
github 2
ibm 9
cve 12
cgr 6
fedora 1
rocky 1
rosalinux 1
nessus
nessus
openSUSE 15 Security Update : SUSE Manager Client Tools (SUSE-SU-2023:0353-1)
2023-02-14 00:00:00
SUSE SLED15 / SLES15 / openSUSE 15 Security Update : grafana (SUSE-SU-2023:0362-1)
2023-02-14 00:00:00
Oracle Linux 9 : grafana (ELSA-2023-6420)
2023-11-16 00:00:00
openvas
openvas
SUSE: Security Advisory (SUSE-SU-2023:0362-1)
2023-02-13 00:00:00
openSUSE: Security Advisory for grafana (SUSE-SU-2023:0362-1)
2024-03-04 00:00:00
Grafana < 8.5.15, 9 < 9.2.4 Multiple Vulnerabilities
2022-11-14 00:00:00
osv
osv
Moderate: grafana security and enhancement update
2023-11-07 00:00:00
Grafana vulnerable to Stored Cross-site Scripting in Text plugin
2023-03-01 20:56:49
BIT-grafana-2023-22462
2024-03-06 10:53:25
almalinux
almalinux
Moderate: grafana security and enhancement update
2023-11-07 00:00:00
Moderate: grafana security and enhancement update
2023-05-09 00:00:00
Moderate: grafana security and enhancement update
2023-11-14 00:00:00
oraclelinux
oraclelinux
grafana security and enhancement update
2023-11-11 00:00:00
grafana security and enhancement update
2023-05-15 00:00:00
grafana security update
2023-07-19 00:00:00
redhat
redhat
(RHSA-2023:6420) Moderate: grafana security and enhancement update
2023-11-07 06:05:17
(RHSA-2024:0746) Important: new container image: rhceph-5.3
2024-02-08 16:24:16
(RHSA-2023:2167) Moderate: grafana security and enhancement update
2023-05-09 05:02:10
freebsd
freebsd
Grafana -- Data source and plugin proxy endpoints leaking authentication tokens to some destination plugins
2022-06-26 00:00:00
Grafana -- Improper authentication
2022-09-07 00:00:00
Grafana -- Plugin signature bypass
2022-07-04 00:00:00
redhatcve
redhatcve
CVE-2022-39328
2022-11-09 04:56:18
CVE-2022-39307
2022-11-09 04:56:08
CVE-2022-39306
2022-11-09 04:55:58
altlinux
altlinux
Security fix for the ALT Linux 10 package grafana version 8.5.20-alt1
2023-01-31 00:00:00
redos
redos
ROS-20240403-14
2024-04-03 00:00:00
veracode
veracode
Privilege Escalation
2022-11-10 02:23:25
Cross Site Scripting (XSS)
2023-02-02 11:20:58
Information Disclosure
2023-02-08 01:57:04
ubuntucve
ubuntucve
CVE-2022-23498
2023-02-03 00:00:00
CVE-2022-39307
2022-11-09 00:00:00
CVE-2022-39306
2022-11-09 00:00:00
alpinelinux
alpinelinux
CVE-2022-31123
2022-10-13 22:15:00
CVE-2022-39307
2022-11-09 23:15:00
CVE-2023-22462
2023-03-02 01:15:00
cnvd
cnvd
Grafana Account Enumeration Vulnerability
2022-11-10 00:00:00
Grafana Denial of Service Vulnerability
2022-10-14 00:00:00
Grafana Competition Conditions Vulnerability
2022-11-10 00:00:00
prion
prion
Session fixation
2023-02-03 22:15:00
Cross site scripting
2023-03-02 01:15:00
Design/Logic Flaw
2022-10-13 22:15:00
github
github
Grafana vulnerable to Stored Cross-site Scripting in Text plugin
2023-03-01 20:56:49
Grafana vulnerable to Authentication Bypass by Spoofing
2023-06-22 21:30:49
ibm
ibm
Security Bulletin: IBM Storage Ceph is vulnerable to improper authentication in Grafana (CVE-2022-39229)
2023-11-01 19:38:48
Security Bulletin: IBM Storage Ceph is vulnerable to improper input validation in Grafana (CVE-2022-39306)
2023-11-01 19:34:46
Security Bulletin: IBM Storage Ceph is vulnerable to Cross-site Scripting in Grafana (CVE-2023-22462)
2023-11-01 20:02:31
cve
cve
CVE-2022-39306
2022-11-09 22:15:00
CVE-2022-39324
2023-01-27 23:15:00
CVE-2022-23552
2023-01-27 23:15:00
cgr
cgr
CVE-2022-39201 vulnerabilities
2024-04-29 21:06:12
CVE-2022-31123 vulnerabilities
2024-04-29 21:06:12
CVE-2022-39324 vulnerabilities
2024-04-29 21:06:12
fedora
fedora
[SECURITY] Fedora 37 Update: grafana-9.0.9-1.fc37
2022-09-27 00:16:46
rocky
rocky
grafana security update
2023-07-19 17:53:40
rosalinux
rosalinux
Advisory ROSA-SA-2023-2181
2023-07-04 13:37:03

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.6 High

AI Score

Confidence

High

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.003 Low

EPSS

Percentile

67.5%

JSON
Related for ROS-20240404-01
nessus30openvas18osv31almalinux4oraclelinux4redhat6freebsd13redhatcve13altlinux1redos1veracode13ubuntucve10alpinelinux8cnvd3prion12github2ibm9cve12cgr6fedora1rocky1rosalinux1