Lucene search
K
GrafanaRecent

90 matches found

Grafana
Grafana
added 2024/07/23 12:0 a.m.9 views

Grafana plugins route actions are not scoped to instance

Access control for plugin data sources protected by the ReqActions json field of the plugin.json is bypassed if the user or service account is granted associated access to any other data source, as the ReqActions check was not scoped to each specific datasource. The account must have prior query...

5.4CVSS5.8AI score0.00305EPSS
Exploits0
Grafana
Grafana
added 2024/05/30 12:0 a.m.6 views

Grafana OnCall Webhook SSRF

Grafana OnCall is an easy-to-use on-call management tool that will help reduce toil in on-call management through simpler workflows and interfaces that are tailored specifically for engineers. Grafana OnCall, from version 1.1.37 before 1.5.2 are vulnerable to a Server Side Request Forgery SSRF...

9.1CVSS5.8AI score0.00402EPSS
Exploits0
Grafana
Grafana
added 2024/03/26 12:0 a.m.16 views

Users outside an organization can delete a snapshot with its key

It is possible for a user in a different organization from the owner of a snapshot to bypass authorization and delete a snapshot by issuing a DELETE request to /api/snapshots/ using its view key. This functionality is intended to only be available to individuals with the permission to write/edit ...

6.5CVSS5.8AI score0.00646EPSS
Exploits0
Grafana
Grafana
added 2024/03/07 12:0 a.m.11 views

User with permissions to create a data source can CRUD all data sources

A user with the permissions to create a data source can use Grafana API to create a data source with UID set to . Doing this will grant the user access to read, query, edit and delete all data sources within the organization. Impacted Versions: 8.5.0 9.5.7 10.0.0 10.0.12 10.1.0 10.1.8 10.2.0 10.2...

8.8CVSS5.8AI score0.00802EPSS
Exploits0
Grafana
Grafana
added 2024/02/14 12:0 a.m.11 views

Improper Path Sanitization in JSON Datasource Plugin

Grafana is an open-source platform for monitoring and observability. The JSON datasource plugin is a Grafana Labs maintained plugin that allows for retrieving and processing JSON data from a remote endpoint including a specific sub-path configured by an administrator. Due to inadequate sanitizati...

8CVSS5.9AI score0.0077EPSS
Exploits0
Grafana
Grafana
added 2024/02/14 12:0 a.m.6 views

SSRF in CSV Datasource Plugin

Grafana is an open-source platform for monitoring and observability. The CSV datasource plugin is a Grafana Labs maintained plugin that allows for retrieving and processing CSV data from a remote endpoint configured by an administrator. If this plugin was configured to send requests to a bare hos...

5.3CVSS5.8AI score0.00509EPSS
Exploits0
Grafana
Grafana
added 2024/02/13 12:0 a.m.8 views

Email verification is not required after email change

Grafana is an open-source platform for monitoring and observability. A user changing their email after signing up and verifying it can change it without verification in profile settings. The configuration option “verifyemailenabled” will only validate email only on sign up. This issue has been...

5.4CVSS5.7AI score0.01385EPSS
Exploits1
Grafana
Grafana
added 2023/10/12 12:0 a.m.9 views

Grafana datasource network restrictions bypass

Grafana is an open-source platform for monitoring and observability. In Grafana, Request security is a deny list that allows admins to configure Grafana in a way so that the instance doesn’t call specific hosts. However, the restriction can be bypassed used punycode encoding of the characters in...

7.2CVSS7.1AI score0.01082EPSS
Exploits0
Grafana
Grafana
added 2023/10/12 12:0 a.m.9 views

Grafana org admins can modify permissions across all orgs

Grafana is an open-source platform for monitoring and observability. The vulnerability impacts Grafana instances with several organizations, and allows a user with Organization Admin permissions in one organization to change the permissions associated with Organization Viewer, Organization Editor...

7.2CVSS6.9AI score0.01074EPSS
Exploits0
Grafana
Grafana
added 2023/09/19 12:0 a.m.9 views

Google Sheets data source plugin - API key leaks in error messages

The Google Sheets data source plugin for Grafana, versions 0.9.0 to 1.2.2 are vulnerable to an information disclosure vulnerability. The plugin did not properly sanitize error messages, making it potentially expose the Google Sheet API-key that is configured for the data source. This vulnerabilit...

7.5CVSS7.2AI score0.00389EPSS
Exploits0
Grafana
Grafana
added 2023/06/22 12:0 a.m.6 views

Grafana authentication bypass using Azure AD OAuth

Grafana is validating Azure AD accounts based on the email claim. On Azure AD, the profile email field is not unique and can be easily modified. This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app...

9.8CVSS5.8AI score0.04094EPSS
Exploits0
Grafana
Grafana
added 2023/06/08 12:0 a.m.7 views

Grafana WorldMap Panel Plugin DOM XSS

Grafana is an open-source platform for monitoring and observability. The WorldMap panel plugin, versions before 1.0.4 contains a DOM XSS vulnerability...

7.3CVSS5.8AI score0.0045EPSS
Exploits0
Grafana
Grafana
added 2023/06/06 12:0 a.m.6 views

Broken Access Control in Alert manager: Viewer can send test alerts

Grafana is an open-source platform for monitoring and observability. The option to send a test alert is not available from the user panel UI for users having the Viewer role. It is still possible for a user with the Viewer role to send a test alert using the API as the API does not check access t...

7.5CVSS5.8AI score0.01027EPSS
Exploits1
Grafana
Grafana
added 2023/06/06 12:0 a.m.8 views

Grafana ds proxy race condition

Grafana is an open-source platform for monitoring and observability. Using public dashboards users can query multiple distinct data sources using mixed queries. However such query has a possibility of crashing a Grafana instance. The only feature that uses mixed queries at the moment is public...

7.5CVSS6.8AI score0.00745EPSS
Exploits0
Grafana
Grafana
added 2023/04/26 12:0 a.m.7 views

JWT URL-login flow leaks token to data sources through request parameter in proxy requests

Grafana is an open-source platform for monitoring and observability. Starting with the 9.1 branch, Grafana introduced the ability to search for a JWT in the URL query parameter authtoken and use it as the authentication token. By enabling the “urllogin” configuration option disabled by default, a...

7.5CVSS7.1AI score0.01504EPSS
Exploits1
Grafana
Grafana
added 2023/03/22 12:0 a.m.7 views

Stored XSS in Graphite FunctionDescription tooltip

Grafana is an open-source platform for monitoring and observability. Grafana had a stored XSS vulnerability in the Graphite FunctionDescription tooltip. The stored XSS vulnerability was possible due the value of the Function Description was not properly sanitized. An attacker needs to have contro...

6.2CVSS6.8AI score0.00954EPSS
Exploits1
Grafana
Grafana
added 2023/02/28 12:0 a.m.5 views

XSS In Geomap Via Attribution

Grafana is an open-source platform for monitoring and observability. Starting with the 8.1 branch, Grafana had a stored XSS vulnerability affecting the core plugin GeoMap. The stored XSS vulnerability was possible due to map attributions weren’t properly sanitized and allowed arbitrary JavaScript...

7.3CVSS6.9AI score0.1546EPSS
Exploits0
Grafana
Grafana
added 2023/02/28 12:0 a.m.7 views

Text panel plugin XSS

Grafana is an open-source platform for monitoring and observability. On 2023-01-01 during an internal audit of Grafana, a member of the security team found a stored XSS vulnerability affecting the core plugin “Text”. The stored XSS vulnerability requires several user interactions in order to be...

6.4CVSS6.8AI score0.01562EPSS
Exploits0
Grafana
Grafana
added 2023/02/28 12:0 a.m.7 views

Stored XSS in TraceView Panel

Grafana is an open-source platform for monitoring and observability. Starting with the 7.0 branch, Grafana had a stored XSS vulnerability in the trace view visualization. The stored XSS vulnerability was possible due the value of a span’s attributes/resources were not properly sanitized and this...

7.3CVSS6.8AI score0.09216EPSS
Exploits0
Grafana
Grafana
added 2023/02/01 12:0 a.m.6 views

Use of Cache Containing Sensitive Information

Grafana is an open-source platform for monitoring and observability. When datasource query caching is enabled, Grafana caches all headers, including grafanasession . As a result, any user that queries a datasource where the caching is enabled can acquire another user’s session. To mitigate the...

8.8CVSS7.2AI score0.01132EPSS
Exploits1
Grafana
Grafana
added 2023/01/26 12:0 a.m.7 views

Spoofing originalUrl of snapshots

Grafana is an open-source platform for monitoring and observability. Prior to versions 8.5.16 and 9.2.8, malicious user can create a snapshot and arbitrarily choose the originalUrl parameter by editing the query, thanks to a web proxy. When another user opens the URL of the snapshot, they will be...

6.7CVSS6.8AI score0.00828EPSS
Exploits0
Grafana
Grafana
added 2023/01/26 12:0 a.m.7 views

Stored XSS in ResourcePicker component

Grafana is an open-source platform for monitoring and observability. Starting with the 8.1 branch and prior to versions 8.5.16, 9.2.10, and 9.3.4, Grafana had a stored XSS vulnerability affecting the core plugin GeoMap. The stored XSS vulnerability was possible because SVG files weren’t properly...

7.3CVSS6.9AI score0.00779EPSS
Exploits0
Grafana
Grafana
added 2022/11/08 12:0 a.m.7 views

User enumeration via forget password

Grafana is an open-source platform for monitoring and observability. When using the forget password on the login page, a POST request is made to the /api/user/password/sent-reset-email URL. When the username or email does not exist, a JSON response contains a “user not found” message. This leaks...

6.7CVSS6.7AI score0.00696EPSS
Exploits0
Grafana
Grafana
added 2022/11/08 12:0 a.m.9 views

Race condition allowing privilege escalation

Grafana is an open-source platform for monitoring and observability. Versions starting with 9.2.0 and less than 9.2.4 contain a race condition in the authentication middlewares logic which may allow an unauthenticated user to query an administration endpoint under heavy load. This issue is patche...

9.8CVSS7.2AI score0.00922EPSS
Exploits0
Grafana
Grafana
added 2022/11/08 12:0 a.m.7 views

Email addresses and usernames can not be trusted

Grafana is an open-source platform for monitoring and observability. Versions prior to 9.2.4, or 8.5.15 on the 8.X branch, are subject to Improper Input Validation. Grafana admins can invite other members to the organization they are an admin for. When admins add members to the organization, non...

8.1CVSS7.1AI score0.0074EPSS
Exploits0
Grafana
Grafana
added 2022/10/12 12:0 a.m.5 views

Data source and plugin proxy endpoints could leak the authentication cookie to some destination plugins

Grafana is an open source observability and data visualization platform. Starting with version 5.0.0-beta1 and prior to versions 8.5.14 and 9.1.8, Grafana could leak the authentication cookie of users to plugins. The vulnerability impacts data source and plugin proxy endpoints under certain...

7.5CVSS6.9AI score0.01228EPSS
Exploits0
Grafana
Grafana
added 2022/10/12 12:0 a.m.7 views

Data source and plugin proxy endpoints leaking authentication tokens to some destination plugins

Grafana is an open source observability and data visualization platform. Versions of Grafana for endpoints prior to 9.1.8 and 8.5.14 could leak authentication tokens to some destination plugins under some conditions. The vulnerability impacts data source and plugin proxy endpoints with...

7.5CVSS7.2AI score0.00964EPSS
Exploits0
Grafana
Grafana
added 2022/10/12 12:0 a.m.5 views

Using email as a username can block other users from signing in

Grafana is an open source data visualization platform for metrics, logs, and traces. Versions prior to 9.1.8 and 8.5.14 allow one user to block another user’s login attempt by registering someone else’e email address as a username. A Grafana user’s username and email address are unique fields, th...

4.3CVSS6.8AI score0.0082EPSS
Exploits0
Grafana
Grafana
added 2022/10/12 12:0 a.m.6 views

Plugin signature bypass

Grafana is an open source observability and data visualization platform. Versions prior to 9.1.8 and 8.5.14 are vulnerable to a bypass in the plugin signature verification. An attacker can convince a server admin to download and successfully run a malicious plugin even though unsigned plugins are...

7.8CVSS6.8AI score0.00249EPSS
Exploits0
Grafana
Grafana
added 2022/09/20 12:0 a.m.7 views

Grafana folders admin only permission privilege escalation

Grafana is an open-source platform for monitoring and observability. In versions prior to 8.5.13, 9.0.9, and 9.1.6, Grafana is subject to Improper Preservation of Permissions resulting in privilege escalation on some folders where Admin is the only used permission. The vulnerability impacts Grafa...

7.6CVSS6.7AI score0.00596EPSS
Exploits0
Grafana
Grafana
added 2022/09/20 12:0 a.m.6 views

Escalation from admin to server admin when auth proxy is used

Grafana is an open-source platform for monitoring and observability. Versions prior to 9.1.6 and 8.5.13 are vulnerable to an escalation from admin to server admin when auth proxy is used, allowing an admin to take over the server admin account and gain full control of the grafana instance. All...

6.6CVSS6.9AI score0.01302EPSS
Exploits0
Grafana
Grafana
added 2022/08/30 12:0 a.m.7 views

Grafana Image Renderer leaking files

Grafana Image Renderer is a Grafana backend plugin that handles rendering of panels & dashboards to PNGs using a headless browser Chromium/Chrome. An internal security review identified an unauthorized file disclosure vulnerability. It is possible for a malicious user to retrieve unauthorized fil...

8.3CVSS7.2AI score0.0087EPSS
Exploits0
Grafana
Grafana
added 2022/07/14 12:0 a.m.8 views

Grafana account takeover via OAuth vulnerability

Grafana is an open-source platform for monitoring and observability. In versions 5.3 until 9.0.3, 8.5.9, 8.4.10, and 8.3.10, it is possible for a malicious user who has authorization to log into a Grafana instance via a configured OAuth IdP which provides a login name to take over the account of...

7.5CVSS7.1AI score0.02039EPSS
Exploits0
Grafana
Grafana
added 2022/07/14 12:0 a.m.7 views

Stored XSS in Unified Alerting

Grafana is an open-source platform for monitoring and observability. Versions on the 8.x and 9.x branch prior to 9.0.3, 8.5.9, 8.4.10, and 8.3.10 are vulnerable to stored cross-site scripting via the Unified Alerting feature of Grafana. An attacker can exploit this vulnerability to escalate...

8.7CVSS7.1AI score0.68603EPSS
Exploits0
Grafana
Grafana
added 2022/05/19 12:0 a.m.7 views

Grafana datasource network restrictions bypass via HTTP redirects

Grafana is an open-source platform for monitoring and observability. In Grafana, the Request security feature allows list allows to configure Grafana in a way so that the instance does not call or only calls specific hosts. The vulnerability present starting with version 7.4.0-beta1 and prior to...

8.5CVSS7.3AI score0.01116EPSS
Exploits0
Grafana
Grafana
added 2022/04/12 12:0 a.m.7 views

Grafana fine-grained access control API Key privilege escalation

Grafana is an open-source platform for monitoring and observability. When fine-grained access control is enabled and a client uses Grafana API Key to make requests, the permissions for that API Key are cached for 30 seconds for the given organization. Because of the way the cache ID is constructe...

8.8CVSS7.3AI score0.02322EPSS
Exploits0
Grafana
Grafana
added 2022/02/08 12:0 a.m.6 views

Grafana proxy XSS

Grafana is an open-source platform for monitoring and observability. In affected versions an attacker could serve HTML content thru the Grafana datasource or plugin proxy and trick a user to visit this HTML page using a specially crafted link and execute a Cross-site Scripting XSS attack. The...

6.5CVSS6.8AI score0.02359EPSS
Exploits1
Grafana
Grafana
added 2022/02/08 12:0 a.m.6 views

Grafana Cross Site Request Forgery

Grafana is an open-source platform for monitoring and observability. Affected versions are subject to a cross site request forgery vulnerability which allows attackers to elevate their privileges by mounting cross-origin attacks against authenticated high-privilege Grafana users for example,...

8.8CVSS6.8AI score0.02283EPSS
Exploits0
Grafana
Grafana
added 2022/02/08 12:0 a.m.7 views

Grafana Teams API IDOR

Grafana is an open-source platform for monitoring and observability. Affected versions of Grafana expose multiple API endpoints which do not properly handle user authorization. /teams/:teamId will allow an authenticated attacker to view unintended data by querying for the specific team ID,...

4.3CVSS6.8AI score0.01185EPSS
Exploits0
Grafana
Grafana
added 2022/01/18 12:0 a.m.7 views

Forward OAuth Identity Token can allow users to access some data sources

Grafana is an open-source platform for monitoring and observability. In affected versions when a data source has the Forward OAuth Identity feature enabled, sending a query to that datasource with an API token and no other user credentials will forward the OAuth Identity of the most recently...

4.3CVSS6.7AI score0.02013EPSS
Exploits0
Total number of security vulnerabilities90