FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-05-15 17:58:29 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML ID	Description
fdbe9aec-118b-11ee-908a-6c3be5272acd	Grafana -- Account takeover / authentication bypass Grafana Labs reports: Grafana validates Azure Active Directory accounts based on the email claim. On Azure AD, the profile email field is not unique across Azure AD tenants. This can enable a Grafana account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant Azure AD OAuth application. The CVSS score for this vulnerability is 9.4 Critical. Discovery 2023-06-22 Entry 2023-06-23 grafana ge 6.7.0 lt 8.5.27 ge 9.0.0 lt 9.2.20 ge 9.3.0 lt 9.3.16 ge 9.4.0 lt 9.4.13 ge 9.5.0 lt 9.5.5 ge 10.0.0 lt 10.0.1 grafana8 < 8.5.27 grafana9 < 9.2.20 ge 9.3.0 lt 9.3.16 ge 9.4.0 lt 9.4.13 ge 9.5.0 lt 9.5.5 grafana10 < 10.0.1 CVE-2023-3128 https://grafana.com/security/security-advisories/cve-2023-3128
0b85b1cd-e468-11ed-834b-6c3be5272acd	Grafana -- Critical vulnerability in golang Grafana Labs reports: An issue in how go handles backticks (`) with Javascript can lead to an injection of arbitrary code into go templates. While Grafana Labs software contains potentially vulnerable versions of go, we have not identified any exploitable use cases at this time. The CVSS score for this vulnerability is 0.0 (adjusted), 9.8 (base). Discovery 2023-04-19 Entry 2023-04-26 grafana < 8.5.24 ge 9.0.0 lt 9.2.17 ge 9.3.0 lt 9.3.13 ge 9.4.0 lt 9.4.9 grafana8 < 8.5.24 grafana9 < 9.2.17 ge 9.3.0 lt 9.3.13 ge 9.4.0 lt 9.4.9 CVE-2023-24538 https://grafana.com/blog/2023/04/26/precautionary-patches-for-grafana-released-following-critical-go-vulnerability-cve-2023-24538/
6c1de144-056f-11ee-8e16-6c3be5272acd	Grafana -- Broken access control: viewer can send test alerts Grafana Labs reports: Grafana can allow an attacker in the Viewer role to send alerts by API Alert - Test. This option, however, is not available in the user panel UI for the Viewer role. The CVSS score for this vulnerability is 4.1 Medium (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N). Discovery 2023-06-06 Entry 2023-06-07 grafana ge 8.0.0 lt 8.5.26 ge 9.0.0 lt 9.2.19 ge 9.3.0 lt 9.3.15 ge 9.4.0 lt 9.4.12 ge 9.5.0 lt 9.5.3 grafana8 ge 8.0.0 lt 8.5.26 grafana9 < 9.2.19 ge 9.3.0 lt 9.3.15 ge 9.4.0 lt 9.4.12 ge 9.5.0 lt 9.5.3 CVE-2023-2183 https://grafana.com/security/security-advisories/cve-2023-2183/

VuXML ID

Description

fdbe9aec-118b-11ee-908a-6c3be5272acd

Grafana -- Account takeover / authentication bypass

Grafana Labs reports:

Grafana validates Azure Active Directory accounts based on the email claim. On Azure AD, the profile email field is not unique across Azure AD tenants. This can enable a Grafana account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant Azure AD OAuth application.

The CVSS score for this vulnerability is 9.4 Critical.

Discovery 2023-06-22
Entry 2023-06-23
grafana

ge 6.7.0 lt 8.5.27

ge 9.0.0 lt 9.2.20

ge 9.3.0 lt 9.3.16

ge 9.4.0 lt 9.4.13

ge 9.5.0 lt 9.5.5

ge 10.0.0 lt 10.0.1

grafana8

< 8.5.27

grafana9

< 9.2.20

ge 9.3.0 lt 9.3.16

ge 9.4.0 lt 9.4.13

ge 9.5.0 lt 9.5.5

grafana10

< 10.0.1

CVE-2023-3128
https://grafana.com/security/security-advisories/cve-2023-3128

0b85b1cd-e468-11ed-834b-6c3be5272acd

Grafana -- Critical vulnerability in golang

Grafana Labs reports:

An issue in how go handles backticks (`) with Javascript can lead to an injection of arbitrary code into go templates. While Grafana Labs software contains potentially vulnerable versions of go, we have not identified any exploitable use cases at this time.

The CVSS score for this vulnerability is 0.0 (adjusted), 9.8 (base).

Discovery 2023-04-19
Entry 2023-04-26
grafana

< 8.5.24

ge 9.0.0 lt 9.2.17

ge 9.3.0 lt 9.3.13

ge 9.4.0 lt 9.4.9

grafana8

< 8.5.24

grafana9

< 9.2.17

ge 9.3.0 lt 9.3.13

ge 9.4.0 lt 9.4.9

CVE-2023-24538
https://grafana.com/blog/2023/04/26/precautionary-patches-for-grafana-released-following-critical-go-vulnerability-cve-2023-24538/

6c1de144-056f-11ee-8e16-6c3be5272acd

Grafana -- Broken access control: viewer can send test alerts

Grafana Labs reports:

Grafana can allow an attacker in the Viewer role to send alerts by API Alert - Test. This option, however, is not available in the user panel UI for the Viewer role.

The CVSS score for this vulnerability is 4.1 Medium (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N).

Discovery 2023-06-06
Entry 2023-06-07
grafana

ge 8.0.0 lt 8.5.26

ge 9.0.0 lt 9.2.19

ge 9.3.0 lt 9.3.15

ge 9.4.0 lt 9.4.12

ge 9.5.0 lt 9.5.3

grafana8

ge 8.0.0 lt 8.5.26

grafana9

< 9.2.19

ge 9.3.0 lt 9.3.15

ge 9.4.0 lt 9.4.12

ge 9.5.0 lt 9.5.3

CVE-2023-2183
https://grafana.com/security/security-advisories/cve-2023-2183/