Grafana proxy XSS

Grafana is an open-source platform for monitoring and observability. In affected versions an attacker could serve HTML content thru the Grafana datasource or plugin proxy and trick a user to visit this HTML page using a specially crafted link and execute a Cross-site Scripting XSS attack. The...

Remote Code Execution (RCE)

org.apache.kylin:kylin-datasource-sdk is vulnerable to remote code execution. A remote attacker is able to inject and execute malicious code from a hacker-controlled malicious MySQL server within Kylin server processes because the library allows users to read data from other database systems usin...

UBUNTU-CVE-2021-43815

Grafana is an open-source platform for monitoring and observability. Grafana prior to versions 8.3.2 and 7.5.12 has a directory traversal for arbitrary .csv files. It only affects instances that have the developer testing tool called TestData DB data source enabled and configured. The vulnerabili...

GHSA-R695-7VR9-JGC2 Unsafe Deserialization in jackson-databind

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource...

GHSA-H3CW-G4MQ-C5X2 Code Injection in jackson-databind

This project contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource aka Anteros-DBCP...

com.alibaba.otter:canal.deployer (>=1.1.7 <=1.1.8), com.alibaba.otter:canal.instance.core (>=1.1.7 <=1.1.8) +90 more potentially affected by CVE-2021-37137 via org.jboss.netty:netty (>=3.1.0.BETA1 <=3.2.10.Final)

org.jboss.netty:netty MAVEN version =3.1.0.BETA1, =1.1.7, =1.1.7, =1.1.7, =1.1.7, =1.1.7, =1.1.7, =1.1.7, =1.1.7, =1.1.7, =5.0.2, =5.0.2, =5.0.2, =5.0.2, =5.0.2, =5.6.4 and more Source cves: CVE-2021-37137 Source advisory: OSV:GHSA-9VJP-V76F-G363...

grafana security, bug fix, and enhancement update

7.3.6-2 - change working dir to in grafana-cli wrapper fixes Red Hat BZ 1916083 - add pcp-redis-datasource to allowloadingunsignedplugins config option 7.3.6-1 - update to 7.3.6 tagged upstream community sources, see CHANGELOG - remove dependency on SAML not supported in the open source version o...

grafana: XSS via a query alias for the Elasticsearch and Testdata datasource

A flaw was found in grafana. A XSS via a query alias for the ElasticSearch datasource is allowed...

PT-2021-3167 · Apache +3 · Apache Tomcat +3

Name of the Vulnerable Software and Affected Versions: FasterXML jackson-databind versions 2.0 through 2.9.10.7 Description: The issue is related to the interaction between serialization gadgets and typing, specifically involving the org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource...

UBUNTU-CVE-2020-35491

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource...

PT-2020-6950 · Fasterxml +3 · Jackson-Databind +3

Name of the Vulnerable Software and Affected Versions: FasterXML jackson-databind versions 2.x before 2.9.10.8 Description: The issue is related to the interaction between serialization gadgets and typing, which can lead to the exploitation of the vulnerability. This may allow a remote attacker t...

cloud-init security, bug fix, and enhancement update

19.4-11.0.1 - Forward port applicable cloud-init 18.4-2.0.3 changes to cloud-init-18-5 Orabug: 30435672 - Update OCI Datasource to support IMDSv2 - limit permissions Orabug: 31352433 - Changes to ignore all enslaved interfaces Orabug: 30092148 - Fix swap file size allocation logic to allocate...

grafana: information disclosure through world-readable /var/lib/grafana/grafana.db

An information-disclosure flaw was found in the way Grafana set permissions for the database directory and file. This flaw allows a local attacker access to potentially sensitive information such as cleartext or encrypted datasource passwords from /var/lib/grafana/grafana.db...

Grafana < 7.1.0-beta1 XSS Vulnerability

Grafana is vulnerable to a cross-site scripting XSS vulnerability. Copyright C 2020 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free...

CVE-2020-24303

CVE-2020-24303 : Grafana before 7.1.0-beta1 is vulnerable to an XSS via a query alias for the Elasticsearch datasource. Root cause per the public description is improper input handling in the query alias pathway, enabling script execution in a victim’s browser. Exploitation status not described i...

jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariDataSource

A flaw was discovered in FasterXML jackson-databind, where it would permit polymorphic deserialization of malicious objects using the HikariDataSource gadget when used in conjunction with polymorphic type handling methods such as enableDefaultTyping or when @JsonTypeInfo is using Id.CLASS or...

jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariDataSource

A flaw was discovered in FasterXML jackson-databind, where it would permit polymorphic deserialization of malicious objects using the HikariDataSource gadget when used in conjunction with polymorphic type handling methods such as enableDefaultTyping or when @JsonTypeInfo is using Id.CLASS or...

Ignite Realtime Openfire Cross-Site Scripting Vulnerability (CNVD-2020-18551)

Ignite Realtime Openfire is a real-time collaboration RTC server licensed under the open source Apache license. A cross-site scripting vulnerability exists in Ignite Realtime Openfire 4.4.1. An attacker can exploit this vulnerability to conduct a cross-site scripting attack via the...

CVE-2019-20526

Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasource-standard.jsp password parameter...

CVE-2019-20525

Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasource-standard.jsp driver parameter...