VulnerableCode Package Details - pkg:rpm/redhat/grafana@9.2.10-21?arch=el9

Search for packages

Vulnerability	Summary	Fixed by
VCID-c5e4-td2w-37by Aliases: CVE-2025-21614 GHSA-r9px-m959-cxf4	go-git clients vulnerable to DoS via maliciously crafted Git server replies ### Impact A denial of service (DoS) vulnerability was discovered in go-git versions prior to `v5.13`. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in `go-git` clients. This is a `go-git` implementation issue and does not affect the upstream `git` cli. ### Patches Users running versions of `go-git` from `v4` and above are recommended to upgrade to `v5.13` in order to mitigate this vulnerability. ### Workarounds In cases where a bump to the latest version of `go-git` is not possible, we recommend limiting its use to only trust-worthy Git servers. ## Credit Thanks to Ionut Lalu for responsibly disclosing this vulnerability to us.	There are no reported fixed by versions.
VCID-j8jp-r751-sbf8 Aliases: CVE-2025-21613 GHSA-v725-9546-7q7m	go-git has an Argument Injection via the URL field ### Impact An argument injection vulnerability was discovered in `go-git` versions prior to `v5.13`. Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to [git-upload-pack flags](https://git-scm.com/docs/git-upload-pack). This only happens when the `file` transport protocol is being used, as that is the only protocol that shells out to `git` binaries. ### Affected versions Users running versions of `go-git` from `v4` and above are recommended to upgrade to `v5.13` in order to mitigate this vulnerability. ### Workarounds In cases where a bump to the latest version of `go-git` is not possible, we recommend users to enforce restrict validation rules for values passed in the URL field. ## Credit Thanks to @vin01 for responsibly disclosing this vulnerability to us.	There are no reported fixed by versions.

Vulnerability

Summary

Fixed by

VCID-c5e4-td2w-37by
Aliases:
CVE-2025-21614
GHSA-r9px-m959-cxf4

go-git clients vulnerable to DoS via maliciously crafted Git server replies ### Impact A denial of service (DoS) vulnerability was discovered in go-git versions prior to `v5.13`. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in `go-git` clients. This is a `go-git` implementation issue and does not affect the upstream `git` cli. ### Patches Users running versions of `go-git` from `v4` and above are recommended to upgrade to `v5.13` in order to mitigate this vulnerability. ### Workarounds In cases where a bump to the latest version of `go-git` is not possible, we recommend limiting its use to only trust-worthy Git servers. ## Credit Thanks to Ionut Lalu for responsibly disclosing this vulnerability to us.

There are no reported fixed by versions.

VCID-j8jp-r751-sbf8
Aliases:
CVE-2025-21613
GHSA-v725-9546-7q7m

go-git has an Argument Injection via the URL field ### Impact An argument injection vulnerability was discovered in `go-git` versions prior to `v5.13`. Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to [git-upload-pack flags](https://git-scm.com/docs/git-upload-pack). This only happens when the `file` transport protocol is being used, as that is the only protocol that shells out to `git` binaries. ### Affected versions Users running versions of `go-git` from `v4` and above are recommended to upgrade to `v5.13` in order to mitigate this vulnerability. ### Workarounds In cases where a bump to the latest version of `go-git` is not possible, we recommend users to enforce restrict validation rules for values passed in the URL field. ## Credit Thanks to @vin01 for responsibly disclosing this vulnerability to us.

There are no reported fixed by versions.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-01T13:43:22.441069+00:00	RedHat Importer	Affected by	VCID-j8jp-r751-sbf8	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-21613.json	38.0.0
2026-04-01T13:43:22.353925+00:00	RedHat Importer	Affected by	VCID-c5e4-td2w-37by	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-21614.json	38.0.0

2026-04-01T13:43:22.441069+00:00

RedHat Importer

Affected by

VCID-j8jp-r751-sbf8

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-21613.json

38.0.0

2026-04-01T13:43:22.353925+00:00

RedHat Importer

Affected by

VCID-c5e4-td2w-37by

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-21614.json

38.0.0

Next non-vulnerable version	None.
Latest non-vulnerable version	None.
Risk	4.5