Oracle Linux 8 : grafana (ELSA-2022-5717)

The remote Oracle Linux 8 host has a package installed that is affected by a vulnerability as referenced in the ELSA-2022-5717 advisory. 7.5.11-3 - resolve CVE-2022-31107 grafana: OAuth account takeover Tenable has extracted the preceding description block directly from the Oracle Linux security...

Oracle Linux 9 : grafana (ELSA-2022-5716)

The remote Oracle Linux 9 host has a package installed that is affected by a vulnerability as referenced in the ELSA-2022-5716 advisory. 7.5.11-5 - resolve CVE-2022-31107 grafana: OAuth account takeover Tenable has extracted the preceding description block directly from the Oracle Linux security...

Authorization

Grafana is an open-source platform for monitoring and observability. In versions 5.3 until 9.0.3, 8.5.9, 8.4.10, and 8.3.10, it is possible for a malicious user who has authorization to log into a Grafana instance via a configured OAuth IdP which provides a login name to take over the account of...

CVE-2022-31107

Grafana is an open-source platform for monitoring and observability. In versions 5.3 until 9.0.3, 8.5.9, 8.4.10, and 8.3.10, it is possible for a malicious user who has authorization to log into a Grafana instance via a configured OAuth IdP which provides a login name to take over the account of...

CVE-2022-31097

Grafana versions 8.x and 9.x prior to patches (9.0.3, 8.5.9, 8.4.10, 8.3.10) are vulnerable to a stored XSS via Unified Alerting that can escalate an authenticated editor to admin by fooling an admin into clicking a link. Patched releases are 9.0.3, 8.5.9, 8.4.10, and 8.3.10. Workarounds include ...

CVE-2020-35168

CVE-2020-35168 affects Dell BSAFE Crypto-C Micro Edition (versions before 4.1.5) and Dell BSAFE Micro Edition Suite (versions before 4.6) with an Observable Timing Discrepancy vulnerability. The initial document provides CVSS metrics indicating high impact (network attack, no user interaction) wi...

Important: Red Hat Security Advisory: Red Hat Advanced Cluster Management 2.5 security updates, images, and bug fixes

Red Hat Advanced Cluster Management for Kubernetes 2.5.0 is now generally available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each...

Closing the Gap Between Application Security and Observability

Infosec Insiders columnist Daniel Kaar, global director application security engineering at Dynatrace. When it’s all said and done, application security pros may come to look upon the Log4Shell vulnerability as a gift. Potentially one of the most devastating software flaws ever found, Log4Shell...

Moderate: Red Hat Security Advisory: Red Hat Advanced Cluster Management 2.4.3 security updates and bug fixes

Red Hat Advanced Cluster Management for Kubernetes 2.4.3 General Availability release images. This update provides security fixes, bug fixes, and updates the container images. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring...

CVE-2022-24812

Grafana Enterprise FGAC API Key privilege escalation (CVE-2022-24812): when fine-grained access control is enabled and multiple API Keys exist in an organization, the API key permissions are cached for 30 seconds using a stale cache ID, causing subsequent requests to inherit previous admin permis...

Why Customers Asked us for a Data Security Fabric (Even When They Didn’t Know to ask for it by Name)

Our journey to the data security fabric started a while back when we built the industry’s first data security platform based on what customers said they needed and working with customers as design partners. The concept of a software platform has been around for a long time. Like all platforms, we...

CVE-2022-21713

Grafana is an open-source platform for monitoring and observability. Affected versions of Grafana expose multiple API endpoints which do not properly handle user authorization. /teams/:teamId will allow an authenticated attacker to view unintended data by querying for the specific team ID,...

CVE-2022-21703

Grafana is an open-source platform for monitoring and observability. Affected versions are subject to a cross site request forgery vulnerability which allows attackers to elevate their privileges by mounting cross-origin attacks against authenticated high-privilege Grafana users for example,...

CVE-2022-21702

Grafana is an open-source platform for monitoring and observability. In affected versions an attacker could serve HTML content thru the Grafana datasource or plugin proxy and trick a user to visit this HTML page using a specially crafted link and execute a Cross-site Scripting XSS attack. The...

CVE-2022-21702

Grafana CVE-2022-21702 is an XSS vulnerability in the data source proxy and plugin proxy paths. Affected: Grafana HTTP-based datasources configured with Server as Access Mode and a URL, and HTTP-based app plugins configured with a URL (versions up to 8.3.4; back-end plugin resources also mentione...

CVE-2022-21702

Grafana is an open-source platform for monitoring and observability. In affected versions an attacker could serve HTML content thru the Grafana datasource or plugin proxy and trick a user to visit this HTML page using a specially crafted link and execute a Cross-site Scripting XSS attack. The...

CVE-2022-21702 Cross site scripting in Grafana proxy

Grafana is an open-source platform for monitoring and observability. In affected versions an attacker could serve HTML content thru the Grafana datasource or plugin proxy and trick a user to visit this HTML page using a specially crafted link and execute a Cross-site Scripting XSS attack. The...

Security Bulletin: IBM Observability by Instana and IBM Observability with Instana - Server and Agents are vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105, CVE-2021-45046)

Summary Vulnerabilities detected in Apache Log4j affects IBM Observability by Instana and IBM Observability with Instana. The CVE numbers are: CVE-2021-45105 and CVE-2021-45046. These vulnerabilities have been addressed in both the Server and Agent components. The fix includes Apache Log4j v2.17...

openSUSE 15 Security Update : grafana (openSUSE-SU-2022:0140-1)

The remote SUSE Linux SUSE15 host has a package installed that is affected by multiple vulnerabilities as referenced in the openSUSE-SU-2022:0140-1 advisory. - Grafana is an open source data visualization platform. In affected versions unauthenticated and authenticated users are able to view the...

CVE-2022-21673

Grafana Forward OAuth Identity vulnerability (CVE-2022-21673) affects Grafana data sources with Forward OAuth Identity enabled, allowing API token holders to access data tied to the most recently logged-in user. Root cause: data sources with the Forward OAuth Identity feature enabled, OAuth enabl...