x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-wxcc-2f3q-4h58 #3438

GoVulnBot · 2025-01-31T22:01:42Z

Advisory GHSA-wxcc-2f3q-4h58 references a vulnerability in the following Go modules:

Module
github.com/grafana/grafana

Description:
Grafana is an open-source platform for monitoring and observability.
The Grafana Alerting VictorOps integration was not properly protected and could be exposed to users with Viewer permission.
Fixed in versions 11.5.0, 11.4.1, 11.3.3, 11.2.6, 11.1.11, 11.0.11 and 10.4.15

References:

ADVISORY: GHSA-wxcc-2f3q-4h58
ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2024-11741
WEB: https://grafana.com/security/security-advisories/cve-2024-11741

Cross references:

github.com/grafana/grafana appears in 53 other report(s):
- data/excluded/GO-2022-0259.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: CVE-2021-41244 #259) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0275.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: CVE-2021-43798 #275) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0276.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: CVE-2021-43813 #276) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0277.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: CVE-2021-43815 #277) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0296.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: CVE-2022-21673 #296) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0311.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: CVE-2022-21702 #311) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0312.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: CVE-2022-21703 #312) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0313.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: CVE-2022-21713 #313) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0753.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana/pkg/api/avatar: GHSA-wc9w-wvq2-ffm9 #753) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0773.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: CVE-2021-27358, GHSA-h5rh-w6vm-9ghc #773 #773) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0934.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: CVE-2021-39226, GHSA-69j6-29vr-p3j9 #934) NOT_IMPORTABLE
- data/excluded/GO-2023-1599.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-7rqg-hjwc-6mjf #1599) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1603.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-hjv9-hm2f-rpcj #1603) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1604.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-xw5p-hw8j-xg4q #1604) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1673.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-3cgw-hfw7-wc7j #1673) NOT_A_VULNERABILITY
- data/excluded/GO-2023-1674.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-qrrg-gw7w-vp76 #1674) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1680.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-7phr-6cc9-4m5q #1680) NOT_GO_CODE
- data/excluded/GO-2023-1843.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-wm7r-3qxj-5xgq #1843) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1844.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-x2w4-c67p-g44j #1844) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1856.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-cvm3-pp2j-chr3 #1856) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1875.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-mpv3-g8m3-3fjc #1875) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1964.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-x5fh-fvvr-892f #1964) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-2120.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-fw9c-75hh-89p6 #2120) EFFECTIVELY_PRIVATE
- data/excluded/GO-2024-2551.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-3hv4-r2fm-h27f #2551) EFFECTIVELY_PRIVATE
- data/reports/GO-2022-0342.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: CVE-2018-18623 #342)
- data/reports/GO-2022-0707.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana/pkg/api: GHSA-rgjg-66cx-5x9m #707)
- data/reports/GO-2024-2483.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-6wh2-8hw7-jw94 #2483)
- data/reports/GO-2024-2510.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-v5gq-qvjq-8p53 #2510)
- data/reports/GO-2024-2513.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-3jq7-8ph8-63xm #2513)
- data/reports/GO-2024-2515.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-7m2x-qhrq-rp8h #2515)
- data/reports/GO-2024-2516.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-9hv8-4frf-cprf #2516)
- data/reports/GO-2024-2517.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-ccmg-w4xm-p28v #2517)
- data/reports/GO-2024-2519.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-m25m-5778-fm22 #2519)
- data/reports/GO-2024-2520.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-mvpr-q6rh-8vrp #2520)
- data/reports/GO-2024-2523.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-xr3x-62qw-vc4w #2523)
- data/reports/GO-2024-2629.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-5mxf-42f5-j782 #2629)
- data/reports/GO-2024-2661.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana/pkg/tsdb/mysql: GHSA-4pwp-cx67-5cpx #2661)
- data/reports/GO-2024-2697.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-67rv-qpw2-6qrr #2697)
- data/reports/GO-2024-2843.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-2x6g-h2hg-rq84 #2843)
- data/reports/GO-2024-2844.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-3p62-42x7-gxg5 #2844)
- data/reports/GO-2024-2847.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-ff5c-938w-8c9q #2847)
- data/reports/GO-2024-2848.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-gj7m-853r-289r #2848)
- data/reports/GO-2024-2851.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-jv32-5578-pxjc #2851)
- data/reports/GO-2024-2852.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-mx47-6497-3fv2 #2852)
- data/reports/GO-2024-2854.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-p978-56hq-r492 #2854)
- data/reports/GO-2024-2855.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-rhxj-gh46-jvw8 #2855)
- data/reports/GO-2024-2856.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-vqc4-mpj8-jxch #2856)
- data/reports/GO-2024-2857.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-vw7q-p2qg-4m5f #2857)
- data/reports/GO-2024-2858.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-x744-mm8v-vpgr #2858)
- data/reports/GO-2024-2867.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-4724-7jwc-3fpw #2867)
- data/reports/GO-2024-3079.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-hh8p-374f-qgr5 #3079)
- data/reports/GO-2024-3215.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-q99m-qcv4-fpm7 #3215)
- data/reports/GO-2024-3240.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-66c4-2g2v-54qw #3240)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/grafana/grafana
      non_go_versions:
        - introduced: TODO (earliest fixed "11.4.1", vuln range "= 11.4.0")
        - fixed: 10.4.15
        - introduced: 11.0.0
        - fixed: 11.0.11
        - introduced: 11.1.0
        - fixed: 11.1.11
        - introduced: 11.2.0
        - fixed: 11.2.6
        - introduced: 11.3.0
        - fixed: 11.3.3
      vulnerable_at: 5.4.5+incompatible
summary: |-
    Grafana Alerting VictorOps integration could be exposed to users with Viewer
    permission in github.com/grafana/grafana
cves:
    - CVE-2024-11741
ghsas:
    - GHSA-wxcc-2f3q-4h58
references:
    - advisory: https://github.com/advisories/GHSA-wxcc-2f3q-4h58
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-11741
    - web: https://grafana.com/security/security-advisories/cve-2024-11741
notes:
    - fix: 'module merge error: could not merge versions of module github.com/grafana/grafana: invalid or non-canonical semver version (found TODO (earliest fixed "11.4.1", vuln range "= 11.4.0"))'
source:
    id: GHSA-wxcc-2f3q-4h58
    created: 2025-01-31T22:01:41.790748466Z
review_status: UNREVIEWED

The text was updated successfully, but these errors were encountered:

gopherbot · 2025-02-04T18:49:40Z

Change https://go.dev/cl/646595 mentions this issue: data/reports: add 9 unreviewed reports

GoVulnBot added the NeedsTriage label Jan 31, 2025

tatianab added triaged and removed NeedsTriage labels Feb 4, 2025

gopherbot closed this as completed in f230a55 Feb 4, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-wxcc-2f3q-4h58 #3438

x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-wxcc-2f3q-4h58 #3438

GoVulnBot commented Jan 31, 2025

gopherbot commented Feb 4, 2025

x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-wxcc-2f3q-4h58 #3438

x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-wxcc-2f3q-4h58 #3438

Comments

GoVulnBot commented Jan 31, 2025

gopherbot commented Feb 4, 2025