Grafana

Grafana

84 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
4.3

CVE-2024-11741

  • EPSS 0.14%
  • Veröffentlicht 31.01.2025 16:15:30
  • Zuletzt bearbeitet 09.05.2025 20:15:38

Grafana is an open-source platform for monitoring and observability. The Grafana Alerting VictorOps integration was not properly protected and could be exposed to users with Viewer permission. Fixed in versions 11.5.0, 11.4.1, 11.3.3,  11.2.6, 11.1...

2.7

CVE-2024-10452

  • EPSS 0.22%
  • Veröffentlicht 29.10.2024 16:15:04
  • Zuletzt bearbeitet 08.11.2024 17:59:10

Organization admins can delete pending invites created in an organization they are not part of.

8.8

CVE-2024-9264

  • EPSS 93.99%
  • Veröffentlicht 18.10.2024 04:15:04
  • Zuletzt bearbeitet 14.03.2025 10:15:15

The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are insufficiently sanitized before being passed to `duckdb`, leading to a command injection and local file inclusi...

5.1

CVE-2024-8118

  • EPSS 0.07%
  • Veröffentlicht 26.09.2024 19:15:07
  • Zuletzt bearbeitet 30.09.2024 12:46:20

In Grafana, the wrong permission is applied to the alert rule write API endpoint, allowing users with permission to write external alert instances to also write alert rules.

5.4

CVE-2024-6322

  • EPSS 0.03%
  • Veröffentlicht 20.08.2024 18:15:09
  • Zuletzt bearbeitet 30.10.2025 18:15:31

Access control for plugin data sources protected by the ReqActions json field of the plugin.json is bypassed if the user or service account is granted associated access to any other data source, as the ReqActions check was not scoped to each specific...

6.5

CVE-2024-1313

  • EPSS 0.02%
  • Veröffentlicht 26.03.2024 18:15:09
  • Zuletzt bearbeitet 13.02.2025 18:16:23

It is possible for a user in a different organization from the owner of a snapshot to bypass authorization and delete a snapshot by issuing a DELETE request to /api/snapshots/<key> using its view key. This functionality is intended to only be availab...

8.8

CVE-2024-1442

  • EPSS 0.44%
  • Veröffentlicht 07.03.2024 18:15:46
  • Zuletzt bearbeitet 11.03.2025 16:56:13

A user with the permissions to create a data source can use Grafana API to create a data source with UID set to *. Doing this will grant the user access to read, query, edit and delete all data sources within the organization.

5.3

CVE-2023-5122

  • EPSS 0.2%
  • Veröffentlicht 14.02.2024 15:15:08
  • Zuletzt bearbeitet 13.02.2025 18:15:55

Grafana is an open-source platform for monitoring and observability. The CSV datasource plugin is a Grafana Labs maintained plugin for Grafana that allows for retrieving and processing CSV data from a remote endpoint configured by an administrator. I...

5.4

CVE-2023-6152

Exploit
  • EPSS 0.23%
  • Veröffentlicht 13.02.2024 22:15:45
  • Zuletzt bearbeitet 15.02.2025 01:15:09

A user changing their email after signing up and verifying it can change it without verification in profile settings. The configuration option "verify_email_enabled" will only validate email only on sign up.

7.2

CVE-2023-4399

  • EPSS 0.04%
  • Veröffentlicht 17.10.2023 08:15:09
  • Zuletzt bearbeitet 13.02.2025 17:17:18

Grafana is an open-source platform for monitoring and observability. In Grafana Enterprise, Request security is a deny list that allows admins to configure Grafana in a way so that the instance doesn’t call specific hosts. However, the restriction...