Grafana

Grafana

83 vulnerabilities found.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
2.7

CVE-2024-10452

  • EPSS 0.06%
  • Published 29.10.2024 16:15:04
  • Last modified 08.11.2024 17:59:10

Organization admins can delete pending invites created in an organization they are not part of.

8.8

CVE-2024-9264

  • EPSS 92.29%
  • Published 18.10.2024 04:15:04
  • Last modified 14.03.2025 10:15:15

The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are insufficiently sanitized before being passed to `duckdb`, leading to a command injection and local file inclusi...

5.1

CVE-2024-8118

  • EPSS 0.05%
  • Published 26.09.2024 19:15:07
  • Last modified 30.09.2024 12:46:20

In Grafana, the wrong permission is applied to the alert rule write API endpoint, allowing users with permission to write external alert instances to also write alert rules.

4.4

CVE-2024-6322

  • EPSS 0.02%
  • Published 20.08.2024 18:15:09
  • Last modified 21.08.2024 12:30:33

Access control for plugin data sources protected by the ReqActions json field of the plugin.json is bypassed if the user or service account is granted associated access to any other data source, as the ReqActions check was not scoped to each specific...

6.5

CVE-2024-1313

  • EPSS 0.02%
  • Published 26.03.2024 18:15:09
  • Last modified 13.02.2025 18:16:23

It is possible for a user in a different organization from the owner of a snapshot to bypass authorization and delete a snapshot by issuing a DELETE request to /api/snapshots/<key> using its view key. This functionality is intended to only be availab...

8.8

CVE-2024-1442

  • EPSS 0.44%
  • Published 07.03.2024 18:15:46
  • Last modified 11.03.2025 16:56:13

A user with the permissions to create a data source can use Grafana API to create a data source with UID set to *. Doing this will grant the user access to read, query, edit and delete all data sources within the organization.

5.3

CVE-2023-5122

  • EPSS 0.2%
  • Published 14.02.2024 15:15:08
  • Last modified 13.02.2025 18:15:55

Grafana is an open-source platform for monitoring and observability. The CSV datasource plugin is a Grafana Labs maintained plugin for Grafana that allows for retrieving and processing CSV data from a remote endpoint configured by an administrator. I...

5.4

CVE-2023-6152

Exploit
  • EPSS 0.23%
  • Published 13.02.2024 22:15:45
  • Last modified 15.02.2025 01:15:09

A user changing their email after signing up and verifying it can change it without verification in profile settings. The configuration option "verify_email_enabled" will only validate email only on sign up.

7.2

CVE-2023-4399

  • EPSS 0.04%
  • Published 17.10.2023 08:15:09
  • Last modified 13.02.2025 17:17:18

Grafana is an open-source platform for monitoring and observability. In Grafana Enterprise, Request security is a deny list that allows admins to configure Grafana in a way so that the instance doesn’t call specific hosts. However, the restriction...

7.2

CVE-2023-4822

  • EPSS 0.45%
  • Published 16.10.2023 09:15:11
  • Last modified 16.06.2025 17:15:27

Grafana is an open-source platform for monitoring and observability. The vulnerability impacts Grafana instances with several organizations, and allows a user with Organization Admin permissions in one organization to change the permissions associate...