Outdated Grafana version #901
Description
Hey!
The current grafana version is fixed at v7.5.17. Renovate has tried to upgrade it but the PR has been closed.
v7.5.17 was released in 2022 and contains lots of CVEs (not limited to):
- CVE-2022-31107 — OAuth account takeover
- CVE-2022-35957 — Escalation to Server Admin when Auth Proxy is used
- CVE-2022-36062 — RBAC folder permission migration bug
- CVE-2022-31123 — Plugin signature verification bypass
- CVE-2022-31130 — Auth token leakage via data source/plugin proxy
- CVE-2022-39201 — Session/cookie leakage via proxy
- CVE-2022-39229 — “Email as username” can block other users’ login
- CVE-2022-39306 — Input validation bypass during invites/registration
- CVE-2022-39307 — User enumeration via “forgot password”
- CVE-2023-0594 — Stored XSS in TraceView
What are the paths forward from here? Is the upgrade planned anytime soon?