Grafana

Grafana

83 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
2.7

CVE-2024-10452

  • EPSS 0.06%
  • Veröffentlicht 29.10.2024 16:15:04
  • Zuletzt bearbeitet 08.11.2024 17:59:10

Organization admins can delete pending invites created in an organization they are not part of.

8.8

CVE-2024-9264

  • EPSS 92.29%
  • Veröffentlicht 18.10.2024 04:15:04
  • Zuletzt bearbeitet 14.03.2025 10:15:15

The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are insufficiently sanitized before being passed to `duckdb`, leading to a command injection and local file inclusi...

5.1

CVE-2024-8118

  • EPSS 0.05%
  • Veröffentlicht 26.09.2024 19:15:07
  • Zuletzt bearbeitet 30.09.2024 12:46:20

In Grafana, the wrong permission is applied to the alert rule write API endpoint, allowing users with permission to write external alert instances to also write alert rules.

4.4

CVE-2024-6322

  • EPSS 0.02%
  • Veröffentlicht 20.08.2024 18:15:09
  • Zuletzt bearbeitet 21.08.2024 12:30:33

Access control for plugin data sources protected by the ReqActions json field of the plugin.json is bypassed if the user or service account is granted associated access to any other data source, as the ReqActions check was not scoped to each specific...

6.5

CVE-2024-1313

  • EPSS 0.02%
  • Veröffentlicht 26.03.2024 18:15:09
  • Zuletzt bearbeitet 13.02.2025 18:16:23

It is possible for a user in a different organization from the owner of a snapshot to bypass authorization and delete a snapshot by issuing a DELETE request to /api/snapshots/<key> using its view key. This functionality is intended to only be availab...

8.8

CVE-2024-1442

  • EPSS 0.44%
  • Veröffentlicht 07.03.2024 18:15:46
  • Zuletzt bearbeitet 11.03.2025 16:56:13

A user with the permissions to create a data source can use Grafana API to create a data source with UID set to *. Doing this will grant the user access to read, query, edit and delete all data sources within the organization.

5.3

CVE-2023-5122

  • EPSS 0.2%
  • Veröffentlicht 14.02.2024 15:15:08
  • Zuletzt bearbeitet 13.02.2025 18:15:55

Grafana is an open-source platform for monitoring and observability. The CSV datasource plugin is a Grafana Labs maintained plugin for Grafana that allows for retrieving and processing CSV data from a remote endpoint configured by an administrator. I...

5.4

CVE-2023-6152

Exploit
  • EPSS 0.23%
  • Veröffentlicht 13.02.2024 22:15:45
  • Zuletzt bearbeitet 15.02.2025 01:15:09

A user changing their email after signing up and verifying it can change it without verification in profile settings. The configuration option "verify_email_enabled" will only validate email only on sign up.

7.2

CVE-2023-4399

  • EPSS 0.04%
  • Veröffentlicht 17.10.2023 08:15:09
  • Zuletzt bearbeitet 13.02.2025 17:17:18

Grafana is an open-source platform for monitoring and observability. In Grafana Enterprise, Request security is a deny list that allows admins to configure Grafana in a way so that the instance doesn’t call specific hosts. However, the restriction...

7.2

CVE-2023-4822

  • EPSS 0.45%
  • Veröffentlicht 16.10.2023 09:15:11
  • Zuletzt bearbeitet 16.06.2025 17:15:27

Grafana is an open-source platform for monitoring and observability. The vulnerability impacts Grafana instances with several organizations, and allows a user with Organization Admin permissions in one organization to change the permissions associate...