x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-wxcc-2f3q-4h58

Advisory GHSA-wxcc-2f3q-4h58 references a vulnerability in the following Go modules:

Module
github.com/grafana/grafana

Description:
Grafana is an open-source platform for monitoring and observability.
The Grafana Alerting VictorOps integration was not properly protected and could be exposed to users with Viewer permission.
Fixed in versions 11.5.0, 11.4.1, 11.3.3, 11.2.6, 11.1.11, 11.0.11 and 10.4.15

References:

ADVISORY: GHSA-wxcc-2f3q-4h58
ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2024-11741
WEB: https://grafana.com/security/security-advisories/cve-2024-11741

Cross references:

github.com/grafana/grafana appears in 53 other report(s):
- data/excluded/GO-2022-0259.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: CVE-2021-41244 #259) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0275.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: CVE-2021-43798 #275) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0276.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: CVE-2021-43813 #276) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0277.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: CVE-2021-43815 #277) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0296.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: CVE-2022-21673 #296) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0311.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: CVE-2022-21702 #311) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0312.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: CVE-2022-21703 #312) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0313.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: CVE-2022-21713 #313) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0753.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana/pkg/api/avatar: GHSA-wc9w-wvq2-ffm9 #753) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0773.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: CVE-2021-27358, GHSA-h5rh-w6vm-9ghc #773 #773) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0934.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: CVE-2021-39226, GHSA-69j6-29vr-p3j9 #934) NOT_IMPORTABLE
- data/excluded/GO-2023-1599.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-7rqg-hjwc-6mjf #1599) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1603.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-hjv9-hm2f-rpcj #1603) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1604.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-xw5p-hw8j-xg4q #1604) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1673.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-3cgw-hfw7-wc7j #1673) NOT_A_VULNERABILITY
- data/excluded/GO-2023-1674.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-qrrg-gw7w-vp76 #1674) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1680.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-7phr-6cc9-4m5q #1680) NOT_GO_CODE
- data/excluded/GO-2023-1843.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-wm7r-3qxj-5xgq #1843) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1844.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-x2w4-c67p-g44j #1844) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1856.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-cvm3-pp2j-chr3 #1856) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1875.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-mpv3-g8m3-3fjc #1875) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1964.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-x5fh-fvvr-892f #1964) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-2120.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-fw9c-75hh-89p6 #2120) EFFECTIVELY_PRIVATE
- data/excluded/GO-2024-2551.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-3hv4-r2fm-h27f #2551) EFFECTIVELY_PRIVATE
- data/reports/GO-2022-0342.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: CVE-2018-18623 #342)
- data/reports/GO-2022-0707.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana/pkg/api: GHSA-rgjg-66cx-5x9m #707)
- data/reports/GO-2024-2483.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-6wh2-8hw7-jw94 #2483)
- data/reports/GO-2024-2510.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-v5gq-qvjq-8p53 #2510)
- data/reports/GO-2024-2513.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-3jq7-8ph8-63xm #2513)
- data/reports/GO-2024-2515.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-7m2x-qhrq-rp8h #2515)
- data/reports/GO-2024-2516.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-9hv8-4frf-cprf #2516)
- data/reports/GO-2024-2517.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-ccmg-w4xm-p28v #2517)
- data/reports/GO-2024-2519.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-m25m-5778-fm22 #2519)
- data/reports/GO-2024-2520.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-mvpr-q6rh-8vrp #2520)
- data/reports/GO-2024-2523.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-xr3x-62qw-vc4w #2523)
- data/reports/GO-2024-2629.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-5mxf-42f5-j782 #2629)
- data/reports/GO-2024-2661.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana/pkg/tsdb/mysql: GHSA-4pwp-cx67-5cpx #2661)
- data/reports/GO-2024-2697.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-67rv-qpw2-6qrr #2697)
- data/reports/GO-2024-2843.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-2x6g-h2hg-rq84 #2843)
- data/reports/GO-2024-2844.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-3p62-42x7-gxg5 #2844)
- data/reports/GO-2024-2847.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-ff5c-938w-8c9q #2847)
- data/reports/GO-2024-2848.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-gj7m-853r-289r #2848)
- data/reports/GO-2024-2851.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-jv32-5578-pxjc #2851)
- data/reports/GO-2024-2852.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-mx47-6497-3fv2 #2852)
- data/reports/GO-2024-2854.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-p978-56hq-r492 #2854)
- data/reports/GO-2024-2855.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-rhxj-gh46-jvw8 #2855)
- data/reports/GO-2024-2856.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-vqc4-mpj8-jxch #2856)
- data/reports/GO-2024-2857.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-vw7q-p2qg-4m5f #2857)
- data/reports/GO-2024-2858.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-x744-mm8v-vpgr #2858)
- data/reports/GO-2024-2867.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-4724-7jwc-3fpw #2867)
- data/reports/GO-2024-3079.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-hh8p-374f-qgr5 #3079)
- data/reports/GO-2024-3215.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-q99m-qcv4-fpm7 #3215)
- data/reports/GO-2024-3240.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-66c4-2g2v-54qw #3240)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/grafana/grafana
      non_go_versions:
        - introduced: TODO (earliest fixed "11.4.1", vuln range "= 11.4.0")
        - fixed: 10.4.15
        - introduced: 11.0.0
        - fixed: 11.0.11
        - introduced: 11.1.0
        - fixed: 11.1.11
        - introduced: 11.2.0
        - fixed: 11.2.6
        - introduced: 11.3.0
        - fixed: 11.3.3
      vulnerable_at: 5.4.5+incompatible
summary: |-
    Grafana Alerting VictorOps integration could be exposed to users with Viewer
    permission in github.com/grafana/grafana
cves:
    - CVE-2024-11741
ghsas:
    - GHSA-wxcc-2f3q-4h58
references:
    - advisory: https://github.com/advisories/GHSA-wxcc-2f3q-4h58
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-11741
    - web: https://grafana.com/security/security-advisories/cve-2024-11741
notes:
    - fix: 'module merge error: could not merge versions of module github.com/grafana/grafana: invalid or non-canonical semver version (found TODO (earliest fixed "11.4.1", vuln range "= 11.4.0"))'
source:
    id: GHSA-wxcc-2f3q-4h58
    created: 2025-01-31T22:01:41.790748466Z
review_status: UNREVIEWED

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions