611 matches found
Security Bulletin: IBM Instana Observability is affected by Vulnerabilities in Postgresql JDBC
Summary Vulnerabilities in Postgresql JDBC were remediated in IBM Observability with Instana build 267. Vulnerability Details CVEID:CVE-2022-41946 DESCRIPTION: Postgresql JDBC could allow a local authenticated attacker to obtain sensitive information, caused by not limit access to created readabl...
BIT-GRAFANA-2021-41244 Cross organization admin control in Grafana
Grafana is an open-source platform for monitoring and observability. In affected versions when the fine-grained access control beta feature is enabled and there is more than one organization in the Grafana instance admins are able to access users from other organizations. Grafana 8.0 introduced a...
BIT-GRAFANA-2022-21702 Cross site scripting in Grafana proxy
Grafana is an open-source platform for monitoring and observability. In affected versions an attacker could serve HTML content thru the Grafana datasource or plugin proxy and trick a user to visit this HTML page using a specially crafted link and execute a Cross-site Scripting XSS attack. The...
BIT-GRAFANA-2022-21713 Exposure of Sensitive Information in Grafana
Grafana is an open-source platform for monitoring and observability. Affected versions of Grafana expose multiple API endpoints which do not properly handle user authorization. /teams/:teamId will allow an authenticated attacker to view unintended data by querying for the specific team ID,...
BIT-GRAFANA-2022-23498 When query caching is enabled in Grafana users can query another users session
Grafana is an open-source platform for monitoring and observability. When datasource query caching is enabled, Grafana caches all headers, including grafanasession. As a result, any user that queries a datasource where the caching is enabled can acquire another user’s session. To mitigate the...
BIT-GRAFANA-2022-23552 Grafana stored XSS in FileUploader component
Grafana is an open-source platform for monitoring and observability. Starting with the 8.1 branch and prior to versions 8.5.16, 9.2.10, and 9.3.4, Grafana had a stored XSS vulnerability affecting the core plugin GeoMap. The stored XSS vulnerability was possible because SVG files weren't properly...
BIT-GRAFANA-2022-39201 Data source and plugin proxy endpoints could leak the authentication cookie to some destination plugins
Grafana is an open source observability and data visualization platform. Starting with version 5.0.0 and prior to versions 8.5.14 and 9.1.8, Grafana could leak the authentication cookie of users to plugins. The vulnerability impacts data source and plugin proxy endpoints under certain conditions...
BIT-GRAFANA-2022-39306 Grafana contains Improper Input Validation
Grafana is an open-source platform for monitoring and observability. Versions prior to 9.2.4, or 8.5.15 on the 8.X branch, are subject to Improper Input Validation. Grafana admins can invite other members to the organization they are an admin for. When admins add members to the organization, non...
BIT-GRAFANA-2022-39307 Grafana subject to Exposure of Sensitive Information resulting in User enumeration via forget password
Grafana is an open-source platform for monitoring and observability. When using the forget password on the login page, a POST request is made to the /api/user/password/sent-reset-email URL. When the username or email does not exist, a JSON response contains a “user not found” message. This leaks...
BIT-GRAFANA-2022-39324 Grafana vulnerable to spoofing originalUrl of snapshots
Grafana is an open-source platform for monitoring and observability. Prior to versions 8.5.16 and 9.2.8, malicious user can create a snapshot and arbitrarily choose the originalUrl parameter by editing the query, thanks to a web proxy. When another user opens the URL of the snapshot, they will be...
BIT-GRAFANA-2022-39328 Grafana vulnerable to race condition allowing privilege escalation
Grafana is an open-source platform for monitoring and observability. Versions starting with 9.2.0 and less than 9.2.4 contain a race condition in the authentication middlewares logic which may allow an unauthenticated user to query an administration endpoint under heavy load. This issue is patche...
BIT-GRAFANA-2023-0594
Grafana is an open-source platform for monitoring and observability. Starting with the 7.0 branch, Grafana had a stored XSS vulnerability in the trace view visualization. The stored XSS vulnerability was possible due the value of a span's attributes/resources were not properly sanitized and this...
BIT-GRAFANA-2023-1410 Stored XSS in Graphite FunctionDescription tooltip
Grafana is an open-source platform for monitoring and observability. Grafana had a stored XSS vulnerability in the Graphite FunctionDescription tooltip. The stored XSS vulnerability was possible due the value of the Function Description was not properly sanitized. An attacker needs to have contro...
BIT-GRAFANA-2023-2801
Grafana is an open-source platform for monitoring and observability. Using public dashboards users can query multiple distinct data sources using mixed queries. However such query has a possibility of crashing a Grafana instance. The only feature that uses mixed queries at the moment is public...
Lessons from video game companies: automation unleashes robust monitoring & observability
Video game organizations need robust monitoring and observability solutions to stay one step ahead of cyber adversaries. Chances are, so do we all. In this blog post, we’ll delve into how monitoring and observability capabilities enable video game organizations to bolster their cybersecurity...
Moderate: Red Hat Security Advisory: Network Observability 1.5.0 for OpenShift
Network Observability is an OpenShift operator that deploys a monitoring pipeline to collect and enrich network flows that are produced by the Network Observability eBPF agent. The operator provides dashboards, metrics, and keeps flows accessible in a queryable log store, Grafana Loki. When a...
CVE-2024-25631 Unencrypted traffic between pods when using Wireguard and an external kvstore
Cilium is a networking, observability, and security solution with an eBPF-based dataplane. For Cilium users who have enabled an external kvstore and Wireguard transparent encryption, traffic between pods in the affected cluster is not encrypted. This issue affects Cilium v1.14 before v1.14.7 and...
CVE-2024-25631 Unencrypted traffic between pods when using Wireguard and an external kvstore
Cilium is a networking, observability, and security solution with an eBPF-based dataplane. For Cilium users who have enabled an external kvstore and Wireguard transparent encryption, traffic between pods in the affected cluster is not encrypted. This issue affects Cilium v1.14 before v1.14.7 and...
CVE-2024-25630
Cilium vulnerability affecting the v1.14 line before v1.14.7, with default configuration using CRDs to store Cilium state and enabling WireGuard transparent encryption. The issue causes traffic to/from the Ingress and health endpoints to be unencrypted. There is no workaround. The remediation is ...
Security Bulletin: IBM Observability with Instana is affected by Multiple Security Vulnerabilities
Summary Multiple vulnerabilities were remediated in IBM Observability with Instana build 265 Vulnerability Details CVEID:CVE-2023-34062 DESCRIPTION: VMware Tanzu Reactor Netty could allow a remote attacker to traverse directories on the system, caused by improper validation of user request. An...