Nixpkgs Security Tracker

Untriaged

Permalink CVE-2022-39324

created 2 weeks ago

Grafana vulnerable to spoofing originalUrl of snapshots

Grafana is an open-source platform for monitoring and observability. Prior to versions 8.5.16 and 9.2.8, malicious user can create a snapshot and arbitrarily choose the `originalUrl` parameter by editing the query, thanks to a web proxy. When another user opens the URL of the snapshot, they will be presented with the regular web interface delivered by the trusted Grafana server. The `Open original dashboard` button no longer points to the to the real original dashboard but to the attacker’s injected URL. This issue is fixed in versions 8.5.16 and 9.2.8.

Affected products

grafana

==< 8.5.16
==>= 9.0.0, < 9.2.8

Matching in nixpkgs

pkgs.grafana

Gorgeous metric viz, dashboards & editors for Graphite, InfluxDB & OpenTSDB

nixos-unstable 12.3.0
- nixpkgs-unstable 12.3.0
- nixos-unstable-small 12.3.0
nixos-25.05 12.0.7
- nixos-25.05-small 12.0.7
- nixpkgs-25.05-darwin 12.0.7

pkgs.grafanactl

Tool designed to simplify interaction with Grafana instances

nixos-unstable 0.1.7
- nixpkgs-unstable 0.1.7
- nixos-unstable-small 0.1.7

pkgs.mcp-grafana

MCP server for Grafana

nixos-unstable 0.7.9
- nixpkgs-unstable 0.7.9
- nixos-unstable-small 0.7.9

pkgs.grafana-loki

Like Prometheus, but for logs

nixos-unstable 3.5.8
- nixpkgs-unstable 3.5.8
- nixos-unstable-small 3.5.8
nixos-25.05 3.4.5
- nixos-25.05-small 3.4.5
- nixpkgs-25.05-darwin 3.4.5

pkgs.grafana-alloy

Open source OpenTelemetry Collector distribution with built-in Prometheus pipelines and support for metrics, logs, traces, and profiles

nixos-unstable 1.11.3
- nixpkgs-unstable 1.11.3
- nixos-unstable-small 1.11.3
nixos-25.05 1.8.3
- nixos-25.05-small 1.8.3
- nixpkgs-25.05-darwin 1.8.3

pkgs.grafana-kiosk

Kiosk Utility for Grafana

nixos-unstable 1.0.10
- nixpkgs-unstable 1.0.10
- nixos-unstable-small 1.0.10
nixos-25.05 1.0.9
- nixos-25.05-small 1.0.9
- nixpkgs-25.05-darwin 1.0.9

pkgs.grafana-to-ntfy

Grafana-to-ntfy (ntfy.sh) alerts channel

nixos-unstable 0-unstable-2025-01-25
- nixpkgs-unstable 0-unstable-2025-01-25
- nixos-unstable-small 0-unstable-2025-01-25
nixos-25.05 0-unstable-2025-01-25
- nixos-25.05-small 0-unstable-2025-01-25
- nixpkgs-25.05-darwin 0-unstable-2025-01-25

pkgs.grafana-dash-n-grab

Grafana Dash-n-Grab (gdg) -- backup and restore Grafana dashboards, datasources, and other entities

nixos-unstable 0.8.1
- nixpkgs-unstable 0.8.1
- nixos-unstable-small 0.8.1
nixos-25.05 0.7.2
- nixos-25.05-small 0.7.2
- nixpkgs-25.05-darwin 0.7.2

pkgs.grafana-image-renderer

Grafana backend plugin that handles rendering of panels & dashboards to PNGs using headless browser (Chromium/Chrome)

nixos-unstable 5.0.10
- nixpkgs-unstable 5.0.10
- nixos-unstable-small 5.0.10

pkgs.dhallPackages.dhall-grafana

None

nixos-unstable 49a3ee4801cf64f479e3f0bad839a5dd8e5b4932
- nixpkgs-unstable 49a3ee4801cf64f479e3f0bad839a5dd8e5b4932
- nixos-unstable-small 49a3ee4801cf64f479e3f0bad839a5dd8e5b4932
nixos-25.05 49a3ee4801cf64f479e3f0bad839a5dd8e5b4932
- nixos-25.05-small 49a3ee4801cf64f479e3f0bad839a5dd8e5b4932
- nixpkgs-25.05-darwin 49a3ee4801cf64f479e3f0bad839a5dd8e5b4932

pkgs.terraform-providers.grafana

None

nixos-25.05 3.22.3
- nixos-25.05-small 3.22.3
- nixpkgs-25.05-darwin 3.22.3

pkgs.python312Packages.grafanalib

Library for building Grafana dashboards

nixos-unstable 0.7.1
- nixpkgs-unstable 0.7.1
- nixos-unstable-small 0.7.1
nixos-25.05 0.7.1
- nixos-25.05-small 0.7.1
- nixpkgs-25.05-darwin 0.7.1

pkgs.python313Packages.grafanalib

Library for building Grafana dashboards

nixos-unstable 0.7.1
- nixpkgs-unstable 0.7.1
- nixos-unstable-small 0.7.1
nixos-25.05 0.7.1
- nixos-25.05-small 0.7.1
- nixpkgs-25.05-darwin 0.7.1

pkgs.haskellPackages.amazonka-grafana

Amazon Managed Grafana SDK

nixos-unstable 2.0-unstable-2025-04-16
- nixpkgs-unstable 2.0-unstable-2025-04-16
- nixos-unstable-small 2.0-unstable-2025-04-16
nixos-25.05 2.0
- nixos-25.05-small 2.0
- nixpkgs-25.05-darwin 2.0

pkgs.grafanaPlugins.grafana-oncall-app

Developer-friendly incident response for Grafana

nixos-unstable 1.16.6
- nixpkgs-unstable 1.16.6
- nixos-unstable-small 1.16.6

pkgs.grafanaPlugins.grafana-clock-panel

Clock panel for Grafana

nixos-unstable 2.1.9
- nixpkgs-unstable 2.1.9
- nixos-unstable-small 2.1.9

pkgs.terraform-providers.grafana_grafana

None

nixos-unstable 4.17.0
- nixpkgs-unstable 4.17.0
- nixos-unstable-small 4.17.0

pkgs.grafanaPlugins.grafana-pyroscope-app

Integrate seamlessly with Pyroscope, the open-source continuous profiling platform, providing a smooth, query-less experience for browsing and analyzing profiling data