Nixpkgs Security Tracker

Untriaged

Permalink CVE-2022-23552

created 2 weeks ago

Grafana stored XSS in FileUploader component

Grafana is an open-source platform for monitoring and observability. Starting with the 8.1 branch and prior to versions 8.5.16, 9.2.10, and 9.3.4, Grafana had a stored XSS vulnerability affecting the core plugin GeoMap. The stored XSS vulnerability was possible because SVG files weren't properly sanitized and allowed arbitrary JavaScript to be executed in the context of the currently authorized user of the Grafana instance. An attacker needs to have the Editor role in order to change a panel to include either an external URL to a SVG-file containing JavaScript, or use the `data:` scheme to load an inline SVG-file containing JavaScript. This means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard. Users may upgrade to version 8.5.16, 9.2.10, or 9.3.4 to receive a fix.

Affected products

grafana

==>= 8.1, < 8.5.16
==>= 9.3, < 9.3.4
==>= 9.0, < 9.2.10

Matching in nixpkgs

pkgs.grafana

Gorgeous metric viz, dashboards & editors for Graphite, InfluxDB & OpenTSDB

nixos-unstable 12.3.0
- nixpkgs-unstable 12.3.0
- nixos-unstable-small 12.3.0
nixos-25.05 12.0.7
- nixos-25.05-small 12.0.7
- nixpkgs-25.05-darwin 12.0.7

pkgs.grafanactl

Tool designed to simplify interaction with Grafana instances

nixos-unstable 0.1.7
- nixpkgs-unstable 0.1.7
- nixos-unstable-small 0.1.7

pkgs.mcp-grafana

MCP server for Grafana

nixos-unstable 0.7.9
- nixpkgs-unstable 0.7.9
- nixos-unstable-small 0.7.9

pkgs.grafana-loki

Like Prometheus, but for logs

nixos-unstable 3.5.8
- nixpkgs-unstable 3.5.8
- nixos-unstable-small 3.5.8
nixos-25.05 3.4.5
- nixos-25.05-small 3.4.5
- nixpkgs-25.05-darwin 3.4.5

pkgs.grafana-alloy

Open source OpenTelemetry Collector distribution with built-in Prometheus pipelines and support for metrics, logs, traces, and profiles

nixos-unstable 1.11.3
- nixpkgs-unstable 1.11.3
- nixos-unstable-small 1.11.3
nixos-25.05 1.8.3
- nixos-25.05-small 1.8.3
- nixpkgs-25.05-darwin 1.8.3

pkgs.grafana-kiosk

Kiosk Utility for Grafana

nixos-unstable 1.0.10
- nixpkgs-unstable 1.0.10
- nixos-unstable-small 1.0.10
nixos-25.05 1.0.9
- nixos-25.05-small 1.0.9
- nixpkgs-25.05-darwin 1.0.9

pkgs.grafana-to-ntfy

Grafana-to-ntfy (ntfy.sh) alerts channel

nixos-unstable 0-unstable-2025-01-25
- nixpkgs-unstable 0-unstable-2025-01-25
- nixos-unstable-small 0-unstable-2025-01-25
nixos-25.05 0-unstable-2025-01-25
- nixos-25.05-small 0-unstable-2025-01-25
- nixpkgs-25.05-darwin 0-unstable-2025-01-25

pkgs.grafana-dash-n-grab

Grafana Dash-n-Grab (gdg) -- backup and restore Grafana dashboards, datasources, and other entities

nixos-unstable 0.8.1
- nixpkgs-unstable 0.8.1
- nixos-unstable-small 0.8.1
nixos-25.05 0.7.2
- nixos-25.05-small 0.7.2
- nixpkgs-25.05-darwin 0.7.2

pkgs.grafana-image-renderer

Grafana backend plugin that handles rendering of panels & dashboards to PNGs using headless browser (Chromium/Chrome)

nixos-unstable 5.0.10
- nixpkgs-unstable 5.0.10
- nixos-unstable-small 5.0.10

pkgs.dhallPackages.dhall-grafana

None

nixos-unstable 49a3ee4801cf64f479e3f0bad839a5dd8e5b4932
- nixpkgs-unstable 49a3ee4801cf64f479e3f0bad839a5dd8e5b4932
- nixos-unstable-small 49a3ee4801cf64f479e3f0bad839a5dd8e5b4932
nixos-25.05 49a3ee4801cf64f479e3f0bad839a5dd8e5b4932
- nixos-25.05-small 49a3ee4801cf64f479e3f0bad839a5dd8e5b4932
- nixpkgs-25.05-darwin 49a3ee4801cf64f479e3f0bad839a5dd8e5b4932

pkgs.terraform-providers.grafana

None

nixos-25.05 3.22.3
- nixos-25.05-small 3.22.3
- nixpkgs-25.05-darwin 3.22.3

pkgs.python312Packages.grafanalib

Library for building Grafana dashboards

nixos-unstable 0.7.1
- nixpkgs-unstable 0.7.1
- nixos-unstable-small 0.7.1
nixos-25.05 0.7.1
- nixos-25.05-small 0.7.1
- nixpkgs-25.05-darwin 0.7.1

pkgs.python313Packages.grafanalib

Library for building Grafana dashboards

nixos-unstable 0.7.1
- nixpkgs-unstable 0.7.1
- nixos-unstable-small 0.7.1
nixos-25.05 0.7.1
- nixos-25.05-small 0.7.1
- nixpkgs-25.05-darwin 0.7.1

pkgs.haskellPackages.amazonka-grafana

Amazon Managed Grafana SDK

nixos-unstable 2.0-unstable-2025-04-16
- nixpkgs-unstable 2.0-unstable-2025-04-16
- nixos-unstable-small 2.0-unstable-2025-04-16
nixos-25.05 2.0
- nixos-25.05-small 2.0
- nixpkgs-25.05-darwin 2.0

pkgs.grafanaPlugins.grafana-oncall-app

Developer-friendly incident response for Grafana

nixos-unstable 1.16.6
- nixpkgs-unstable 1.16.6
- nixos-unstable-small 1.16.6

pkgs.grafanaPlugins.grafana-clock-panel

Clock panel for Grafana

nixos-unstable 2.1.9
- nixpkgs-unstable 2.1.9
- nixos-unstable-small 2.1.9

pkgs.terraform-providers.grafana_grafana

None

nixos-unstable 4.17.0
- nixpkgs-unstable 4.17.0
- nixos-unstable-small 4.17.0

pkgs.grafanaPlugins.grafana-pyroscope-app

Integrate seamlessly with Pyroscope, the open-source continuous profiling platform, providing a smooth, query-less experience for browsing and analyzing profiling data