SUSE CVE-2020-36184

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource...

SUSE CVE-2021-27962

Grafana Enterprise 7.2.x and 7.3.x before 7.3.10 and 7.4.x before 7.4.5 allows a dashboard editor to bypass a permission check concerning a data source they should not be able to access...

SUSE CVE-2021-44832

Apache Log4j2 versions 2.0-beta7 through 2.17.0 excluding security fix releases 2.3.2 and 2.12.4 are vulnerable to a remote code execution RCE attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is...

SUSE CVE-2022-21673

Grafana is an open-source platform for monitoring and observability. In affected versions when a data source has the Forward OAuth Identity feature enabled, sending a query to that datasource with an API token and no other user credentials will forward the OAuth Identity of the most recently...

SUSE CVE-2022-21702

Grafana is an open-source platform for monitoring and observability. In affected versions an attacker could serve HTML content thru the Grafana datasource or plugin proxy and trick a user to visit this HTML page using a specially crafted link and execute a Cross-site Scripting XSS attack. The...

SUSE CVE-2022-31130

Grafana is an open source observability and data visualization platform. Versions of Grafana for endpoints prior to 9.1.8 and 8.5.14 could leak authentication tokens to some destination plugins under some conditions. The vulnerability impacts data source and plugin proxy endpoints with...

SUSE CVE-2023-0482

In RESTEasy the insecure File.createTempFile is used in the DataSourceProvider, FileProvider and Mime4JWorkaround classes which creates temp files with insecure permissions that could be read by a local user...

CVE-2023-0760

creationtimestamp| type| source ---|---|--- 2023-02-09 16:24:51+00:00| seen| https://t.me/cibsecurity/57819...

Information Disclosure

github.com/grafana/grafana is vulnerable to Information Disclosure. The vulnerability exists when the data source query cache is enabled, Grafana will cache all headers, including the grafanasession, resulting in any user querying a data source which allows an attacker to acquire another user's...

CVE-2021-31577

creationtimestamp| type| source ---|---|--- 2023-02-07 00:23:27+00:00| seen| https://t.me/cibsecurity/57619...

CVE-2022-23498

A flaw was found in the Grafana package. When data-source query caching is enabled, Grafana caches all headers, including grafanasession. As a result, any user that queries a data source where the caching is enabled can acquire another user’s session. Mitigation To mitigate the vulnerability,...

Code injection

In Apache Linkis =1.3.0 when used with the MySQL Connector/J in the data source module, an authenticated attacker could read arbitrary local files by connecting a rogue MySQL server, By adding allowLoadLocalInfile to true in the JDBC parameter. Therefore, the parameters in the JDBC URL should be...

CVE-2022-44644

CVE-2022-44644 — Apache Linkis local file read vulnerability . Affected: Apache Linkis

Apache Linkis 代码问题漏洞

Apache Linkis is a middleware product from the Apache Foundation that establishes an effective connection between upper-tier applications and the underlying data engine. A code issue vulnerability exists in Apache Linkis 1.3.0 and prior versions, which stems from a deserialization vulnerability...

CVE-2022-46164

creationtimestamp| type| source ---|---|--- 2023-01-04 14:10:29+00:00| published-proof-of-concept| https://t.me/proxybar/1255 2023-01-05 11:30:20+00:00| published-proof-of-concept| https://t.me/CyberSecurityTechnologies/7492 2023-01-05 13:41:52+00:00| published-proof-of-concept|...

GHSA-C2P4-8MVV-RWMV Apache Karaf vulnerable to potential code injection

This vulnerability is about a potential code injection when an attacker has control of the target LDAP server using in the JDBC JNDI URL. The function jaas.modules.src.main.java.porg.apache.karaf.jass.modules.jdbc.JDBCUtilsdoCreateDatasource uses InitialContext.lookupjndiName without filtering. A...

CVE-2022-40145 Apache Karaf: JDBC JAAS LDAP injection

This vulnerable is about a potential code injection when an attacker has control of the target LDAP server using in the JDBC JNDI URL. The function jaas.modules.src.main.java.porg.apache.karaf.jass.modules.jdbc.JDBCUtilsdoCreateDatasource use InitialContext.lookupjndiName without filtering. An us...

SAP BusinessObjects Business Intelligence Platform 4.2 < 4.2 SP9 P11 / 4.3 < 4.3 SP2 P8 Multiple Vulnerabilities

The version of SAP BusinessObjects Business Intelligence Platform installed on the remote Windows host is prior to 4.2 SP9 P11, 4.3 SP2 P8 or 4.3 SP3. It is, therefore, affected by multiple vulnerabilities: - A server-side request forgery vulnerability SSRF where an attacker with normal BI user...

PT-2022-14709 · Google · Android

Name of the Vulnerable Software and Affected Versions: Android versions Android-12 through Android-13 Description: In the setDataSource function of initMediaExtractor.cpp, there is a possibility of arbitrary code execution due to a use after free. This could lead to local information disclosure...

CVE-2022-41263

Due to a missing authentication check, SAP Business Objects Business Intelligence Platform Web Intelligence - versions 420, 430, allows an authenticated non-administrator attacker to modify the data source information for a document that is otherwise restricted. On successful exploitation, the...