Use of Cache Containing Sensitive Information

Grafana is an open-source platform for monitoring and observability. When datasource query caching is enabled, Grafana caches all headers, including grafanasession . As a result, any user that queries a datasource where the caching is enabled can acquire another user’s session. To mitigate the...

GHSA-H6W8-52MQ-4QXC Apache Linkis contains Deserialization of Untrusted Data

In Apache Linkis =1.3.0 when used with the MySQL Connector/J, a deserialization vulnerability with possible remote code execution impact exists when an attacker has write access to a database and configures new datasource with a MySQL data source and malicious parameters. Therefore, the parameter...

PT-2022-25242 · Apache · Apache Karaf

Name of the Vulnerable Software and Affected Versions: Apache Karaf versions prior to 4.4.2 and 4.3.8 Description: This issue is about a potential code injection when an attacker has control of the target LDAP server using the JDBC JNDI URL. The function...

OESA-2022-2077 grafana security update

Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB and OpenTSDB. Security Fixes: Grafana is an open-source platform for monitoring and observability. In affected versions an attacker could serve HTML content thru the Grafana datasource or plugin prox...

PT-2022-6257 · Apache +1 · Apache Linkis +1

Name of the Vulnerable Software and Affected Versions: Apache Linkis versions 1.3.0 and earlier Description: A deserialization vulnerability exists in Apache Linkis when used with the MySQL Connector/J, allowing for possible remote code execution impact. This occurs when an attacker has write...

io.dataease:dataease-plugin-datasource (>=1.10.0 <=1.15.0), io.dataease:dataease-plugin-interface (>=1.0 <=1.15.0) +1 more potentially affected by CVE-2022-39312 via io.dataease:dataease-plugin-common (>=1.0 <=1.15.0)

io.dataease:dataease-plugin-common MAVEN version =1.0, =1.10.0, =1.0, =1.10.0, =1.15.0 Source cves: CVE-2022-39312 Source advisory: OSV:GHSA-Q4QQ-JHJV-7RH2...

Security Bulletin: Sensitive Data Disclosure Vulnerability in IBM Infosphere Guardium (CVE-2012-3312)

Abstract Security Bulletin: Sensitive Data Disclosure Vulnerability in IBM Infosphere Guardium CVE-2012-3312 Content SUMMARY: Datasource definition editor sends password in clear text. VULNERABILITY DETAILS: CVE ID: CVE-2012-3312 DESCRIPTION: The datasource definition editor, login and password f...

Grafana Privilege Escalation Vulnerability (GHSA-ff5c-938w-8c9q)

Grafana is prone to a privilege escalation vulnerability. Copyright C 2022 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you...

Privilege Escalation

github.com/grafana/grafana is vulnerable to privilege escalation. A remote admin is able to take over the server admin account and gain full control of the particular grafana instance when auth proxy is used, via calling a fake datasource publicly through this proxying feature...

Information Disclosure

grafana is vulnerable to information disclosure.The vulnerability exits in grafana backend plugin which allows a malicious user to retrieve unauthorized files under some network conditions or via a fake datasource...

CVE-2022-31176

Grafana Image Renderer is a Grafana backend plugin that handles rendering of panels & dashboards to PNGs using a headless browser Chromium/Chrome. An internal security review identified an unauthorized file disclosure vulnerability. It is possible for a malicious user to retrieve unauthorized fil...

CVE-2022-31176 Grafana Image Renderer leaking files

Grafana Image Renderer is a Grafana backend plugin that handles rendering of panels & dashboards to PNGs using a headless browser Chromium/Chrome. An internal security review identified an unauthorized file disclosure vulnerability. It is possible for a malicious user to retrieve unauthorized fil...

Sql injection

Improper input validation on the contains LoopBack filter may allow for arbitrary SQL injection. When the extended filter property contains is permitted to be interpreted by the Postgres connector, it is possible to inject arbitrary SQL which may affect the confidentiality and integrity of data...

CVE-2022-35942 loopback-connector-postgresql Vulnerable to Improper Sanitization of `contains` Filter

Improper input validation on the contains LoopBack filter may allow for arbitrary SQL injection. When the extended filter property contains is permitted to be interpreted by the Postgres connector, it is possible to inject arbitrary SQL which may affect the confidentiality and integrity of data...

CVE-2022-35942

The CVE-2022-35942 issue affects loopback-connector-postgresql (LoopBack) where improper input validation of the contains filter allows SQL injection when interpreted by the PostgreSQL connector. A patch was released in loopback-connector-postgresql v5.5.1 to fix this. Impacts include cases where...

GHSA-J259-6C58-9M58 loopback-connector-postgresql Vulnerable to Improper Sanitization of `contains` Filter

Improper input validation on the contains LoopBack filter may allow for arbitrary SQL injection. Impact When the extended filter property contains is permitted to be interpreted by the Postgres connector, it is possible to inject arbitrary SQL which may affect the confidentiality and integrity of...

loopback-connector-postgresql Vulnerable to Improper Sanitization of `contains` Filter

Improper input validation on the contains LoopBack filter may allow for arbitrary SQL injection. Impact When the extended filter property contains is permitted to be interpreted by the Postgres connector, it is possible to inject arbitrary SQL which may affect the confidentiality and integrity of...

PT-2022-23048 · Loopback +1 · Loopback +1

Name of the Vulnerable Software and Affected Versions: LoopBack versions prior to 5.5.1 Description: Improper input validation on the contains LoopBack filter may allow for arbitrary SQL injection. When the extended filter property contains is permitted to be interpreted by the Postgres connector...

io.dataease:dataease-plugin-datasource (>=1.10.0 <=1.11.1), io.dataease:dataease-plugin-interface (>=1.0 <=1.11.1) +1 more potentially affected by CVE-2022-34114 via io.dataease:dataease-plugin-common (>=1.0 <=1.11.1)

io.dataease:dataease-plugin-common MAVEN version =1.0, =1.10.0, =1.0, =1.10.0, =1.11.1 Source cves: CVE-2022-34114 Source advisory: OSV:GHSA-HMVW-66JM-H9FH...

io.dataease:dataease-plugin-datasource (>=1.10.0 <=1.11.1), io.dataease:dataease-plugin-interface (>=1.0 <=1.11.1) +1 more potentially affected by CVE-2022-34113 via io.dataease:dataease-plugin-common (>=1.0 <=1.11.1)

io.dataease:dataease-plugin-common MAVEN version =1.0, =1.10.0, =1.0, =1.10.0, =1.11.1 Source cves: CVE-2022-34113 Source advisory: OSV:GHSA-5469-C5P2-XV5G...