6.6 MEDIUM
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): HIGH
- Privileges required (PR): HIGH
- User interaction (UI): NONE
- Scope (S): UNCHANGED
- Confidentiality impact (C): HIGH
- Integrity impact (I): HIGH
- Availability impact (A): HIGH
Authentication Bypass in Grafana via auth proxy allowing escalation from admin to server admin
Grafana is an open-source platform for monitoring and observability. Versions prior to 9.1.6 and 8.5.13 are vulnerable to an escalation from admin to server admin when auth proxy is used, allowing an admin to take over the server admin account and gain full control of the grafana instance. All installations should be upgraded as soon as possible. As a workaround deactivate auth proxy following the instructions at: https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/auth-proxy/
References
- https://github.com/grafana/grafana/security/advisories/GHSA-ff5c-938w-8c9q
- FEDORA-2022-2eb4418018 vendor-advisory
- https://security.netapp.com/advisory/ntap-20221215-0001/
- https://security.netapp.com/advisory/ntap-20221215-0001/ x_transferred
- https://github.com/grafana/grafana/security/advisories/GHSA-ff5c-938w-8c9q x_transferred
- FEDORA-2022-2eb4418018 vendor-advisory x_transferred
- https://github.com/grafana/grafana/security/advisories/GHSA-ff5c-938w-8c9q
- FEDORA-2022-2eb4418018 vendor-advisory
- https://security.netapp.com/advisory/ntap-20221215-0001/
- https://security.netapp.com/advisory/ntap-20221215-0001/ x_transferred
- https://github.com/grafana/grafana/security/advisories/GHSA-ff5c-938w-8c9q x_transferred
- FEDORA-2022-2eb4418018 vendor-advisory x_transferred
- FEDORA-2022-2eb4418018 vendor-advisory
- https://security.netapp.com/advisory/ntap-20221215-0001/
- https://github.com/grafana/grafana/security/advisories/GHSA-ff5c-938w-8c9q
- https://github.com/grafana/grafana/security/advisories/GHSA-ff5c-938w-8c9q x_transferred
- FEDORA-2022-2eb4418018 vendor-advisory x_transferred
- https://security.netapp.com/advisory/ntap-20221215-0001/ x_transferred
Affected products
- ==< 8.5.13
- ==> 9.0.0, < 9.1.6
Matching in nixpkgs
pkgs.grafana
Gorgeous metric viz, dashboards & editors for Graphite, InfluxDB & OpenTSDB
pkgs.grafanactl
Tool designed to simplify interaction with Grafana instances
pkgs.mcp-grafana
MCP server for Grafana
pkgs.grafana-loki
Like Prometheus, but for logs
pkgs.grafana-alloy
Open source OpenTelemetry Collector distribution with built-in Prometheus pipelines and support for metrics, logs, traces, and profiles
pkgs.grafana-kiosk
Kiosk Utility for Grafana
pkgs.grafana-to-ntfy
Grafana-to-ntfy (ntfy.sh) alerts channel
-
nixos-unstable 0-unstable-2025-01-25
- nixpkgs-unstable 0-unstable-2025-01-25
- nixos-unstable-small 0-unstable-2025-01-25
pkgs.grafana-dash-n-grab
Grafana Dash-n-Grab (gdg) -- backup and restore Grafana dashboards, datasources, and other entities
pkgs.grafana-image-renderer
Grafana backend plugin that handles rendering of panels & dashboards to PNGs using headless browser (Chromium/Chrome)
pkgs.dhallPackages.dhall-grafana
None
-
nixos-unstable 49a3ee4801cf64f479e3f0bad839a5dd8e5b4932
- nixpkgs-unstable 49a3ee4801cf64f479e3f0bad839a5dd8e5b4932
- nixos-unstable-small 49a3ee4801cf64f479e3f0bad839a5dd8e5b4932
pkgs.terraform-providers.grafana
None
pkgs.python312Packages.grafanalib
Library for building Grafana dashboards
pkgs.python313Packages.grafanalib
Library for building Grafana dashboards
pkgs.haskellPackages.amazonka-grafana
Amazon Managed Grafana SDK
-
nixos-unstable 2.0-unstable-2025-04-16
- nixpkgs-unstable 2.0-unstable-2025-04-16
- nixos-unstable-small 2.0-unstable-2025-04-16
pkgs.grafanaPlugins.grafana-oncall-app
Developer-friendly incident response for Grafana
pkgs.grafanaPlugins.grafana-clock-panel
Clock panel for Grafana
pkgs.terraform-providers.grafana_grafana
None
pkgs.grafanaPlugins.grafana-pyroscope-app
Integrate seamlessly with Pyroscope, the open-source continuous profiling platform, providing a smooth, query-less experience for browsing and analyzing profiling data
pkgs.python312Packages.mypy-boto3-grafana
Type annotations for boto3 grafana
-
nixos-unstable boto3-grafana-1.41.0
- nixpkgs-unstable boto3-grafana-1.41.0
- nixos-unstable-small boto3-grafana-1.41.0
pkgs.python313Packages.mypy-boto3-grafana
Type annotations for boto3 grafana
-
nixos-unstable boto3-grafana-1.41.0
- nixpkgs-unstable boto3-grafana-1.41.0
- nixos-unstable-small boto3-grafana-1.41.0
pkgs.grafanaPlugins.grafana-piechart-panel
Pie chart panel for Grafana
pkgs.grafanaPlugins.grafana-polystat-panel
Hexagonal multi-stat panel for Grafana
pkgs.grafanaPlugins.grafana-worldmap-panel
World Map panel for Grafana
pkgs.grafanaPlugins.grafana-lokiexplore-app
Browse Loki logs without the need for writing complex queries
pkgs.grafanaPlugins.grafana-mqtt-datasource
Visualize streaming MQTT data from within Grafana
-
nixos-unstable 1.1.0-beta.3
- nixpkgs-unstable 1.1.0-beta.3
- nixos-unstable-small 1.1.0-beta.3
pkgs.grafanaPlugins.grafana-exploretraces-app
Opinionated traces app
pkgs.grafanaPlugins.grafana-github-datasource
Allows GitHub API data to be visually represented in Grafana dashboards
pkgs.grafanaPlugins.grafana-sentry-datasource
Integrate Sentry data into Grafana
pkgs.grafanaPlugins.grafana-discourse-datasource
Allows users to search and view topics, posts, users, tags, categories, and reports on a given Discourse forum through Grafana
pkgs.grafanaPlugins.grafana-metricsdrilldown-app
Queryless experience for browsing Prometheus-compatible metrics. Quickly find related metrics without writing PromQL queries
pkgs.python312Packages.types-aiobotocore-grafana
Type annotations for aiobotocore grafana
pkgs.python313Packages.types-aiobotocore-grafana
Type annotations for aiobotocore grafana
pkgs.grafanaPlugins.grafana-clickhouse-datasource
Connects Grafana to ClickHouse
pkgs.grafanaPlugins.grafana-opensearch-datasource
Empowers you to seamlessly integrate JSON data into Grafana
pkgs.grafanaPlugins.grafana-googlesheets-datasource
Integrate JSON data into Grafana
Package maintainers
-
@offlinehacker Jaka Hudoklin <jaka@x-truder.net>
-
@WilliButz Willi Butz <willibutz@posteo.de>
-
@Frostman Sergei Lukianov <me@slukjanov.name>
-
@globin Robin Gloster <mail@glob.in>
-
@fpletz Franz Pletz <fpletz@fnordicwalking.de>
-
@Ma27 Maximilian Bosch <maximilian@mbosch.me>
-
@ryan4yin Ryan Yin <xiaoyin_c@qq.com>
-
@azahi Azat Bahawi <azat@bahawi.net>
-
@hbjydev Hayden Young <hayden@kuraudo.io>
-
@flokli Florian Klink <flokli@flokli.de>
-
@cdepillabout Dennis Gosnell <cdep.illabout@gmail.com>
-
@wraithm Matthew Wraith <wraithm@gmail.com>
-
@marcusramberg Marcus Ramberg <marcus@means.no>
-
@emilylange Emily Lange <nix@emilylange.de>
-
@mmahut Marek Mahut <marek.mahut@gmail.com>
-
@Kranzes Ilan Joselevich <personal@ilanjoselevich.com>
-
@michaelgrahamevans Michael Evans <michaelgrahamevans@gmail.com>
-
@mbalatsko Maksym Balatsko <mbalatsko@gmail.com>
-
@fabaff Fabian Affolter <mail@fabian-affolter.ch>
-
@majiru Jacob Moody <moody@posixcafe.org>
-
@lukegb Luke Granger-Brown <nix@lukegb.com>
-
@nagisa Simonas Kazlauskas <nixpkgs@kazlauskas.me>
-
@mockersf François Mockers <francois.mockers@vleue.com>
-
@loispostula Loïs Postula <lois@postu.la>
-
@NthTensor Miles Silberling-Cook <miles.silberlingcook@gmail.com>
-
@MarcelCoding Marcel <me@m4rc3l.de>
-
@arianvp Arian van Putten <arian.vanputten@gmail.com>
-
@wcarlsen Willi Carlsen <carlsenwilli@gmail.com>
-
@pilz0 Pilz <nix@pilz.foo>