Jub0Bs

**Name of the Vulnerable Software and Affected Versions** Grafana-Zabbix versions 5.2.1 and below **Description** Grafana-Zabbix is a plugin for Grafana that visualizes monitoring data from Zabbix. Versions 5.2.1 and below contain a Regular expression Denial of Service (ReDoS) vulnerability. This issue occurs due to a user-supplied regex query, which can cause maximum CPU usage. **Recommendations** Update to version 6.0.0 or later.

**Name of the Vulnerable Software and Affected Versions** The product name cannot be determined. **Description** An issue exists where an attacker can pass a malicious malformed token, causing unexpected memory consumption during parsing. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** golang versions 1.15 and 1.19 **Description** A flaw exists in the cookie parsing functionality of the net/http package. An absence of limits during cookie parsing can lead to excessive memory consumption, potentially resulting in memory exhaustion. **Recommendations** Update to a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Go net/url package (affected versions not specified) **Description** The net/url package does not limit the number of query parameters, potentially leading to excessive memory consumption when parsing large URL-encoded forms with many unique query parameters using the net/http.Request.ParseForm method. This can result in memory exhaustion. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Middleware (affected versions not specified) **Description** The middleware experiences excessive heap allocations when handling malicious preflight requests containing a large number of commas within the Access-Control-Request-Headers (ACRH) header. This can lead to undue load on the middleware/server, potentially resulting in a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Grafana versions prior to the fixed version **Description** The issue is related to a cross-site request forgery vulnerability that allows attackers to elevate their privileges by mounting cross-origin attacks against authenticated high-privilege Grafana users, such as Editors or Admins. An attacker can exploit this vulnerability for privilege escalation by tricking an authenticated user into inviting the attacker as a new user with high privileges. **Recommendations** Upgrade to a version that contains a fix for this issue as soon as possible. As a temporary workaround, consider restricting the ability of authenticated users to invite new users with high privileges until a patch is available. Avoid using features that allow inviting new users with high privileges in the affected Grafana versions until the issue is resolved.