Number Summary Configuration item ID Exploit exists Cve id’s
VIT3947537 Graphite Cross-Site Scripting and Arbitrary Code Execution Vulnerabilities il3tlgrafana01 QID-12942 Yes “CVE-2013-5943,CVE-2013-5942, CVE-2013-5093”
VIT3947539 Web Server Uses Plain-Text Form Based Authentication il3tlgrafana01 QID-86728 No No cve found
VIT3947547 Graphite Cross-Site Scripting and Arbitrary Code Execution Vulnerabilities va1plgrafana01 QID-12942 Yes “CVE-2013-5943,CVE-2013-5942, CVE-2013-5093”
VIT3947549 Web Server Uses Plain-Text Form Based Authentication va1plgrafana01 QID-86728 No No cve found
VIT3954823 Graphite Cross-Site Scripting and Arbitrary Code Execution Vulnerabilities va1plgrafana02 QID-12942 Yes “CVE-2013-5943,CVE-2013-5942, CVE-2013-5093”
VIT3954825 Web Server Uses Plain-Text Form Based Authentication va1plgrafana02 QID-86728 No No cve found
these are for Graphite, are they not? And they look rather old…
it is for grafana, We want to upgrade grafana. Can you please provide step by step procedure or document if available
What is current version?
On what OS or docker?
Do you have sandbox where you can test this upgrade?
Is it cloud or on prem?
Enterprise or OSS
- Open Source
- v7.5.6
linux os
it goes without saying, I would never try an upgrade on the live stuff. That is why I asked you about sandbox, which interestingly you did not respond to 
we have test live grafana servers is there.
Are we good to upgrade directly from version v7.5.6 to V8.x.x ?
1st read the upgrade path to v8 and understand the issues that an upgrade entails. But since it is a test server, only way to find out is to try the upgrade.
Mainly i want to upgrade Grafana to remediate LOG4J vulnerabilities. Kindly let us know at which version of grafana, We can remediate this vulnerabilities.
So your current version of grafana has that vulnerability?
no, we want to act proactively and have others vulnerabilities right now
You’ll have to be clear about which vulnerabilities you have identified, in a
specific version of Grafana, for anyone to be able to tell you whether they
have been addressed in a later version.
Grafana is not vulnerable to the log4j (or shell4j) problem.
Regards,
Antony.
Currently we have below vulnerabilities which need to remediate. The current version if Garfana is * v7.5.6 .
Graphite Cross-Site Scripting and Arbitrary Code Execution Vulnerabilities il3tlgrafana01 QID-12942 “CVE-2013-5943,CVE-2013-5942, CVE-2013-5093”
Web Server Uses Plain-Text Form Based Authentication il3tlgrafana01 QID-86728 No cve found
Graphite Cross-Site Scripting and Arbitrary Code Execution Vulnerabilities va1plgrafana01 QID-12942 “CVE-2013-5943,CVE-2013-5942, CVE-2013-5093”
Web Server Uses Plain-Text Form Based Authentication va1plgrafana01 QID-86728 No cve found
Graphite Cross-Site Scripting and Arbitrary Code Execution Vulnerabilities va1plgrafana02 QID-12942 “CVE-2013-5943,CVE-2013-5942, CVE-2013-5093”
Web Server Uses Plain-Text Form Based Authentication va1plgrafana02 QID-86728 No cve found
Might be worth reporting this to that plugin’s repo
Am not get you, what you are suggesting for this vulnerabilities. Please give more details to us.
Post an issue in the issues section of grafana github or contact support
CVE-2013-5943,CVE-2013-5942, CVE-2013-5093 are Graphite issues. Graphite is not a Grafana. That is different software. So these issues can’t be fixed by Grafana.
It looks like you have Graphite installed on the hosts, which have grafana names. But that doesn’t mean that is a problem of Grafana.
BTW you are trying to fix issues, which have been discovered in 2013. Now it’s 2022. I would say it will be worth to rebuild those hosts from the scratch with current versions.