GHSA-JV32-5578-PXJC Grafana Data source and plugin proxy endpoints leaking authentication tokens to some destination plugins

Today we are releasing Grafana 9.2. Alongside with new features and other bug fixes, this release includes a Moderate severity security fix for CVE-2022-31130 We are also releasing security patches for Grafana 9.1.8 and Grafana 8.5.14 to fix these issues. Release 9.2, latest release, also...

GHSA-XC3P-28HW-Q24G Grafana proxy Cross-site Scripting

Today we are releasing Grafana 8.3.5 and 7.5.15. This patch release includes MEDIUM severity security fix for XSS for Grafana. Release v.8.3.5, only containing security fixes: - Download Grafana 8.3.5 - Release notes Release v.7.5.15, only containing security fixes: - Download Grafana 7.5.15 -...

GHSA-7533-C8QV-JM9M Grafana directory traversal for .cvs files

Today we are releasing Grafana 8.3.2 and 7.5.12. This patch release includes a moderate severity security fix for directory traversal for arbitrary .csv files. It only affects instances that have the developer testing tool called TestData DB data source enabled and configured. The vulnerability i...

CVE-2024-31441

DataEase is an open source data visualization analysis tool. Due to the lack of restrictions on the connection parameters for the ClickHouse data source, it is possible to exploit certain malicious parameters to achieve arbitrary file reading. The vulnerability has been fixed in v1.18.19...

ROS-20240514-02

A vulnerability in the Apache Maven framework is related to a flaw in the data source validation mechanism. Exploitation of the vulnerability could allow an attacker acting remotely to gain unauthorized access to protected information...

CVE-2024-31441 Arbitrary File Reading in DataEase

DataEase is an open source data visualization analysis tool. Due to the lack of restrictions on the connection parameters for the ClickHouse data source, it is possible to exploit certain malicious parameters to achieve arbitrary file reading. The vulnerability has been fixed in v1.18.19...

Apache Superset 安全漏洞

Apache Superset is a data visualization and data exploration platform from the Apache USA Foundation. A security vulnerability exists in Apache Superset versions prior to 3.1.2, which can be exploited by an authenticated attacker to access metadata from data sources they are not authorized to vie...

ROS-20240503-18

A vulnerability in the Apache Maven framework is related to the generation of double-quoted strings without proper escaping. Exploitation of the vulnerability could allow an attacker acting remotely to conduct a shell-based attack. shell attacks A vulnerability in the Apache Maven framework is...

ICA Latency in Director shows Cannot retrieve the data

When checking ICA latency for a VDA on an App Layering based image, Director does not show that data. ICA Latency within Director says "Cannot retrieve the data." Hovering over that error message in Director pops up the message: "Data source unresponsive due to a configuration error. View Directo...

OESA-2024-1398 rubygem-tzinfo security update

TZInfo provides daylight savings aware transformations between times in different time zones. Security Fixes: TZInfo is a Ruby library that provides access to time zone data and allows times to be converted using time zone rules. Versions prior to 0.36.1, as well as those prior to 1.2.10 when use...

ROS-20240410-17

The vulnerability of the ImageBuild function of the Moby containerization software tool is related to a flaw in the data source validation mechanism for endpoint processing. is related to a flaw in the data source validation mechanism for endpoint processing. Exploitation of the vulnerability cou...

The vulnerability of the Grafana monitoring and observation platform lies in the redirection of the URL address to an unreliable website, allowing a hacker to redirect users to any desired website.

The vulnerability of the Grafana monitoring and observation platform relates to bypassing security configurations, if a malicious data source operates on a permitted host. Exploiting this vulnerability could allow a remote attacker to redirect users to an arbitrary website...

CVE-2024-24976

A denial of service vulnerability exists in the OAS Engine File Data Source Configuration functionality of Open Automation Software OAS Platform V19.00.0057. A specially crafted series of network requests can cause the running program to stop. An attacker can send a sequence of requests to trigge...

CVE-2024-24976

A denial of service vulnerability exists in the OAS Engine File Data Source Configuration functionality of Open Automation Software OAS Platform V19.00.0057. A specially crafted series of network requests can cause the running program to stop. An attacker can send a sequence of requests to trigge...

CVE-2024-24976

A denial of service vulnerability exists in the OAS Engine File Data Source Configuration functionality of Open Automation Software OAS Platform V19.00.0057. A specially crafted series of network requests can cause the running program to stop. An attacker can send a sequence of requests to trigge...

Open Automation Software OAS Platform OAS Engine Tags Configuration file write vulnerability

Talos Vulnerability Report TALOS-2024-1950 Open Automation Software OAS Platform OAS Engine Tags Configuration file write vulnerability April 3, 2024 CVE Number CVE-2024-21870 SUMMARY A file write vulnerability exists in the OAS Engine Tags Configuration functionality of Open Automation Software...

Open Automation Software OAS Platform OAS Engine File Data Source Configuration denial of service vulnerability

Talos Vulnerability Report TALOS-2024-1948 Open Automation Software OAS Platform OAS Engine File Data Source Configuration denial of service vulnerability April 3, 2024 CVE Number CVE-2024-24976 SUMMARY A denial of service vulnerability exists in the OAS Engine File Data Source Configuration...

PT-2024-20684 · Open Automation · Open Automation Software Oas Platform

Name of the Vulnerable Software and Affected Versions: Open Automation Software OAS Platform version 19.00.0057 Description: A denial of service issue exists in the OAS Engine File Data Source Configuration functionality. It can be triggered by a specially crafted series of network requests,...

GO-2024-2661 Arbitrary file read in github.com/grafana/grafana

An authenticated attacker that has privileges to modify the data source configurations can read arbitrary files...

The vulnerability of the microprogramming software for UniLogic Studio programmable logic controllers of the UniStream series arises from the use of an unreliable data source, allowing a intruder to execute arbitrary code.

The vulnerability of the microprogramming software for UniLogic Studio series UniStream is related to the use of an unreliable data source. Exploiting this vulnerability can allow a remote attacker to execute arbitrary code...