|
Lines 1-3
Link Here
|
|
|
1 |
<vuln vid="0c367e98-0415-11ed-a53b-6c3be5272acd"> |
| 2 |
<topic>Grafana -- Stored XSS</topic> |
| 3 |
<affects> |
| 4 |
<package> |
| 5 |
<name>grafana</name> |
| 6 |
<range><ge>8.3.0</ge><lt>8.3.10</lt></range> |
| 7 |
<range><ge>8.4.0</ge><lt>8.4.10</lt></range> |
| 8 |
<range><ge>8.5.0</ge><lt>8.5.9</lt></range> |
| 9 |
<range><ge>9.0.0</ge><lt>9.0.3</lt></range> |
| 10 |
</package> |
| 11 |
<package> |
| 12 |
<name>grafana8</name> |
| 13 |
<range><ge>8.3.0</ge><lt>8.3.10</lt></range> |
| 14 |
<range><ge>8.4.0</ge><lt>8.4.10</lt></range> |
| 15 |
<range><ge>8.5.0</ge><lt>8.5.9</lt></range> |
| 16 |
</package> |
| 17 |
<package> |
| 18 |
<name>grafana9</name> |
| 19 |
<range><lt>9.0.3</lt></range> |
| 20 |
</package> |
| 21 |
</affects> |
| 22 |
<description> |
| 23 |
<body xmlns="http://www.w3.org/1999/xhtml"> |
| 24 |
<p>Grafana Labs reports:</p> |
| 25 |
<blockquote cite="https://grafana.com/blog/2022/07/14/grafana-v9-0-3-8-5-9-8-4-10-and-8-3-10-released-with-high-severity-security-fix/"> |
| 26 |
<p>An attacker can exploit this vulnerability to escalate privilege from editor to admin by tricking an authenticated admin to click on a link. (Note: Grafana Alerting is activated by default in Grafana 9.0.)</p> |
| 27 |
</blockquote> |
| 28 |
</body> |
| 29 |
</description> |
| 30 |
<references> |
| 31 |
<cvename>CVE-2022-31097</cvename> |
| 32 |
<url>https://github.com/grafana/grafana/security/advisories/GHSA-vw7q-p2qg-4m5f</url> |
| 33 |
</references> |
| 34 |
<dates> |
| 35 |
<discovery>2022-06-19</discovery> |
| 36 |
<entry>2022-07-15</entry> |
| 37 |
</dates> |
| 38 |
</vuln> |
| 39 |
|
| 40 |
<vuln vid="0859e6d5-0415-11ed-a53b-6c3be5272acd"> |
| 41 |
<topic>Grafana -- OAuth Account Takeover</topic> |
| 42 |
<affects> |
| 43 |
<package> |
| 44 |
<name>grafana</name> |
| 45 |
<range><ge>5.3.0</ge><lt>8.3.10</lt></range> |
| 46 |
<range><ge>8.4.0</ge><lt>8.4.10</lt></range> |
| 47 |
<range><ge>8.5.0</ge><lt>8.5.9</lt></range> |
| 48 |
<range><ge>9.0.0</ge><lt>9.0.3</lt></range> |
| 49 |
</package> |
| 50 |
<package> |
| 51 |
<name>grafana7</name> |
| 52 |
<range><ge>7.0</ge></range> |
| 53 |
</package> |
| 54 |
<package> |
| 55 |
<name>grafana8</name> |
| 56 |
<range><ge>8.3.0</ge><lt>8.3.10</lt></range> |
| 57 |
<range><ge>8.4.0</ge><lt>8.4.10</lt></range> |
| 58 |
<range><ge>8.5.0</ge><lt>8.5.9</lt></range> |
| 59 |
</package> |
| 60 |
<package> |
| 61 |
<name>grafana9</name> |
| 62 |
<range><lt>9.0.3</lt></range> |
| 63 |
</package> |
| 64 |
</affects> |
| 65 |
<description> |
| 66 |
<body xmlns="http://www.w3.org/1999/xhtml"> |
| 67 |
<p>Grafana Labs reports:</p> |
| 68 |
<blockquote cite="https://grafana.com/blog/2022/07/14/grafana-v9-0-3-8-5-9-8-4-10-and-8-3-10-released-with-high-severity-security-fix/"> |
| 69 |
<p>It is possible for a malicious user who has authorization to log into a Grafana instance via a configured OAuth IdP to take over an existing Grafana account under some conditions.</p> |
| 70 |
</blockquote> |
| 71 |
</body> |
| 72 |
</description> |
| 73 |
<references> |
| 74 |
<cvename>CVE-2022-31107</cvename> |
| 75 |
<url>https://github.com/grafana/grafana/security/advisories/GHSA-mx47-6497-3fv2</url> |
| 76 |
</references> |
| 77 |
<dates> |
| 78 |
<discovery>2022-06-27</discovery> |
| 79 |
<entry>2022-07-15</entry> |
| 80 |
</dates> |
| 81 |
</vuln> |
| 82 |
|
| 1 |
<vuln vid="a4f2416c-02a0-11ed-b817-10c37b4ac2ea"> |
83 |
<vuln vid="a4f2416c-02a0-11ed-b817-10c37b4ac2ea"> |
| 2 |
<topic>go -- multiple vulnerabilities</topic> |
84 |
<topic>go -- multiple vulnerabilities</topic> |
| 3 |
<affects> |
85 |
<affects> |