7.3 HIGH
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): LOW
- Privileges required (PR): LOW
- User interaction (UI): REQUIRED
- Scope (S): UNCHANGED
- Confidentiality impact (C): HIGH
- Integrity impact (I): HIGH
- Availability impact (A): NONE
Grafana is an open-source platform for monitoring and observability. Starting …
Grafana is an open-source platform for monitoring and observability. Starting with the 7.0 branch, Grafana had a stored XSS vulnerability in the trace view visualization. The stored XSS vulnerability was possible due the value of a span's attributes/resources were not properly sanitized and this will be rendered when the span's attributes/resources are expanded. An attacker needs to have the Editor role in order to change the value of a trace view visualization to contain JavaScript. This means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard. Users may upgrade to version 8.5.21, 9.2.13 and 9.3.8 to receive a fix.
References
- https://grafana.com/security/security-advisories/cve-2023-0594/
- https://security.netapp.com/advisory/ntap-20230331-0007/
- https://grafana.com/security/security-advisories/cve-2023-0594/
- https://grafana.com/security/security-advisories/cve-2023-0594/ x_transferred
- https://security.netapp.com/advisory/ntap-20230331-0007/
- https://grafana.com/security/security-advisories/cve-2023-0594/
- https://security.netapp.com/advisory/ntap-20230331-0007/
- https://grafana.com/security/security-advisories/cve-2023-0594/ x_transferred
- https://grafana.com/security/security-advisories/cve-2023-0594/
- https://security.netapp.com/advisory/ntap-20230331-0007/
- https://grafana.com/security/security-advisories/cve-2023-0594/ x_transferred
Affected products
- <9.2.13
- <9.3.8
- <8.5.21
- <9.2.13
- <9.3.8
- <8.5.21
Matching in nixpkgs
pkgs.grafana
Gorgeous metric viz, dashboards & editors for Graphite, InfluxDB & OpenTSDB
pkgs.grafanactl
Tool designed to simplify interaction with Grafana instances
pkgs.mcp-grafana
MCP server for Grafana
pkgs.grafana-loki
Like Prometheus, but for logs
pkgs.grafana-alloy
Open source OpenTelemetry Collector distribution with built-in Prometheus pipelines and support for metrics, logs, traces, and profiles
pkgs.grafana-kiosk
Kiosk Utility for Grafana
pkgs.grafana-to-ntfy
Grafana-to-ntfy (ntfy.sh) alerts channel
-
nixos-unstable 0-unstable-2025-01-25
- nixpkgs-unstable 0-unstable-2025-01-25
- nixos-unstable-small 0-unstable-2025-01-25
pkgs.grafana-dash-n-grab
Grafana Dash-n-Grab (gdg) -- backup and restore Grafana dashboards, datasources, and other entities
pkgs.grafana-image-renderer
Grafana backend plugin that handles rendering of panels & dashboards to PNGs using headless browser (Chromium/Chrome)
pkgs.dhallPackages.dhall-grafana
None
-
nixos-unstable 49a3ee4801cf64f479e3f0bad839a5dd8e5b4932
- nixpkgs-unstable 49a3ee4801cf64f479e3f0bad839a5dd8e5b4932
- nixos-unstable-small 49a3ee4801cf64f479e3f0bad839a5dd8e5b4932
pkgs.terraform-providers.grafana
None
pkgs.python312Packages.grafanalib
Library for building Grafana dashboards
pkgs.python313Packages.grafanalib
Library for building Grafana dashboards
pkgs.haskellPackages.amazonka-grafana
Amazon Managed Grafana SDK
-
nixos-unstable 2.0-unstable-2025-04-16
- nixpkgs-unstable 2.0-unstable-2025-04-16
- nixos-unstable-small 2.0-unstable-2025-04-16
pkgs.grafanaPlugins.grafana-oncall-app
Developer-friendly incident response for Grafana
pkgs.grafanaPlugins.grafana-clock-panel
Clock panel for Grafana
pkgs.terraform-providers.grafana_grafana
None
pkgs.grafanaPlugins.grafana-pyroscope-app
Integrate seamlessly with Pyroscope, the open-source continuous profiling platform, providing a smooth, query-less experience for browsing and analyzing profiling data
pkgs.python312Packages.mypy-boto3-grafana
Type annotations for boto3 grafana
-
nixos-unstable boto3-grafana-1.41.0
- nixpkgs-unstable boto3-grafana-1.41.0
- nixos-unstable-small boto3-grafana-1.41.0
pkgs.python313Packages.mypy-boto3-grafana
Type annotations for boto3 grafana
-
nixos-unstable boto3-grafana-1.41.0
- nixpkgs-unstable boto3-grafana-1.41.0
- nixos-unstable-small boto3-grafana-1.41.0
pkgs.grafanaPlugins.grafana-piechart-panel
Pie chart panel for Grafana
pkgs.grafanaPlugins.grafana-polystat-panel
Hexagonal multi-stat panel for Grafana
pkgs.grafanaPlugins.grafana-worldmap-panel
World Map panel for Grafana
pkgs.grafanaPlugins.grafana-lokiexplore-app
Browse Loki logs without the need for writing complex queries
pkgs.grafanaPlugins.grafana-mqtt-datasource
Visualize streaming MQTT data from within Grafana
-
nixos-unstable 1.1.0-beta.3
- nixpkgs-unstable 1.1.0-beta.3
- nixos-unstable-small 1.1.0-beta.3
pkgs.grafanaPlugins.grafana-exploretraces-app
Opinionated traces app
pkgs.grafanaPlugins.grafana-github-datasource
Allows GitHub API data to be visually represented in Grafana dashboards
pkgs.grafanaPlugins.grafana-sentry-datasource
Integrate Sentry data into Grafana
pkgs.grafanaPlugins.grafana-discourse-datasource
Allows users to search and view topics, posts, users, tags, categories, and reports on a given Discourse forum through Grafana
pkgs.grafanaPlugins.grafana-metricsdrilldown-app
Queryless experience for browsing Prometheus-compatible metrics. Quickly find related metrics without writing PromQL queries
pkgs.python312Packages.types-aiobotocore-grafana
Type annotations for aiobotocore grafana
pkgs.python313Packages.types-aiobotocore-grafana
Type annotations for aiobotocore grafana
pkgs.grafanaPlugins.grafana-clickhouse-datasource
Connects Grafana to ClickHouse
pkgs.grafanaPlugins.grafana-opensearch-datasource
Empowers you to seamlessly integrate JSON data into Grafana
pkgs.grafanaPlugins.grafana-googlesheets-datasource
Integrate JSON data into Grafana
Package maintainers
-
@offlinehacker Jaka Hudoklin <jaka@x-truder.net>
-
@WilliButz Willi Butz <willibutz@posteo.de>
-
@Frostman Sergei Lukianov <me@slukjanov.name>
-
@globin Robin Gloster <mail@glob.in>
-
@fpletz Franz Pletz <fpletz@fnordicwalking.de>
-
@Ma27 Maximilian Bosch <maximilian@mbosch.me>
-
@ryan4yin Ryan Yin <xiaoyin_c@qq.com>
-
@azahi Azat Bahawi <azat@bahawi.net>
-
@hbjydev Hayden Young <hayden@kuraudo.io>
-
@flokli Florian Klink <flokli@flokli.de>
-
@cdepillabout Dennis Gosnell <cdep.illabout@gmail.com>
-
@wraithm Matthew Wraith <wraithm@gmail.com>
-
@marcusramberg Marcus Ramberg <marcus@means.no>
-
@emilylange Emily Lange <nix@emilylange.de>
-
@mmahut Marek Mahut <marek.mahut@gmail.com>
-
@Kranzes Ilan Joselevich <personal@ilanjoselevich.com>
-
@michaelgrahamevans Michael Evans <michaelgrahamevans@gmail.com>
-
@mbalatsko Maksym Balatsko <mbalatsko@gmail.com>
-
@fabaff Fabian Affolter <mail@fabian-affolter.ch>
-
@majiru Jacob Moody <moody@posixcafe.org>
-
@lukegb Luke Granger-Brown <nix@lukegb.com>
-
@nagisa Simonas Kazlauskas <nixpkgs@kazlauskas.me>
-
@mockersf François Mockers <francois.mockers@vleue.com>
-
@loispostula Loïs Postula <lois@postu.la>
-
@NthTensor Miles Silberling-Cook <miles.silberlingcook@gmail.com>
-
@MarcelCoding Marcel <me@m4rc3l.de>
-
@arianvp Arian van Putten <arian.vanputten@gmail.com>
-
@wcarlsen Willi Carlsen <carlsenwilli@gmail.com>
-
@pilz0 Pilz <nix@pilz.foo>