Grafana Security Vulnerabilities
The snapshot feature in Grafana 6.7.3 through 7.4.1 can allow an unauthenticated remote attackers to trigger a Denial of Service via a remote API call if a commonly used configuration is...
7.5CVSS
7.3AI Score
0.024EPSS
A signature verification vulnerability exists in crewjam/saml. This flaw allows an attacker to bypass SAML Authentication. The highest threat from this vulnerability is to confidentiality, integrity, as well as system...
9.8CVSS
9.1AI Score
0.013EPSS
6.1CVSS
7.2AI Score
0.001EPSS
Grafana <= 6.4.3 has an Arbitrary File Read vulnerability, which could be exploited by an authenticated attacker that has privileges to modify the data source...
6.5CVSS
6.4AI Score
0.001EPSS
Grafana through 6.7.1 allows stored XSS due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the...
5.4CVSS
5.3AI Score
0.005EPSS
The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information about the network...
Grafana 5.3.1 has XSS via a column style on the "Dashboard > Table Panel" screen. NOTE: this issue exists because of an incomplete fix for...
6.1CVSS
6.1AI Score
0.001EPSS
Grafana 5.3.1 has XSS via the "Dashboard > Text Panel" screen. NOTE: this issue exists because of an incomplete fix for...
6.1CVSS
6.2AI Score
0.002EPSS
Grafana 5.3.1 has XSS via a link on the "Dashboard > All Panels > General" screen. NOTE: this issue exists because of an incomplete fix for...
6.1CVSS
5.9AI Score
0.001EPSS
6.1CVSS
6.1AI Score
0.001EPSS
In certain Red Hat packages for Grafana 6.x through 6.3.6, the configuration files /etc/grafana/grafana.ini and /etc/grafana/ldap.toml (which contain a secret_key and a bind_password) are world...
5.5CVSS
6AI Score
0.0005EPSS
An information-disclosure flaw was found in Grafana through 6.7.3. The database directory /var/lib/grafana and database file /var/lib/grafana/grafana.db are world readable. This can result in exposure of sensitive information (e.g., cleartext or encrypted datasource...
5.5CVSS
5.4AI Score
0.001EPSS
6.1CVSS
6.2AI Score
0.001EPSS
6.1CVSS
6.4AI Score
0.005EPSS
An issue was discovered in Grafana 5.4.0. Passwords for data sources used by Grafana (e.g., MySQL) are not encrypted. An admin user can reveal passwords for any data source by pressing the "Save and test" button within a data source's settings menu. When watching the transaction with Burp Proxy,...
4.9CVSS
5.1AI Score
0.001EPSS
In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run a denial of service attack against the server running...
7.5CVSS
7.2AI Score
0.281EPSS
public/app/features/panel/panel_ctrl.ts in Grafana before 6.2.5 allows HTML Injection in panel drilldown links (via the Title or url...
5.4CVSS
5.5AI Score
0.008EPSS
Grafana version confirmed for 5.2.4 and 5.3.0 contains a Cross Site Scripting (XSS) vulnerability in Influxdb and Graphite query editor that can result in Running arbitrary js code in victims browser.. This attack appear to be exploitable via Authenticated user must click on the input field where.....
5.4CVSS
5.3AI Score
0.001EPSS
Grafana before 4.6.5 and 5.x before 5.3.3 allows remote authenticated users to read arbitrary files by leveraging Editor or Admin...
6.5CVSS
6.4AI Score
0.029EPSS
Grafana 2.x, 3.x, and 4.x before 4.6.4 and 5.x before 5.2.3 allows authentication bypass because an attacker can generate a valid "remember me" cookie knowing only a username of an LDAP or OAuth...
9.8CVSS
9.4AI Score
0.017EPSS
6.1CVSS
6AI Score
0.001EPSS