CVE-2025-41116 (GCVE-0-2025-41116)
Vulnerability from cvelistv5
Published
2025-11-11 20:18
Modified
2025-11-19 17:52
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
When using the Grafana Databricks Datasource Plugin,
if Oauth passthrough is enabled on the datasource, and multiple users are using the same datasource at the same time on a single Grafana instance, it could result in
the wrong user identifier being used, and information for which the viewer is not authorized being returned.
This issue affects Grafana Databricks Datasource Plugin: from 1.6.0 before 1.12.0
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Grafana Labs | Grafana Databricks Datasource Plugin |
Version: 1.6.0 ≤ |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-41116",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-12T21:44:41.624004Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T21:45:13.287Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Grafana Databricks Datasource Plugin",
"vendor": "Grafana Labs",
"versions": [
{
"lessThan": "1.12.1",
"status": "affected",
"version": "1.6.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eWhen using the Grafana Databricks Datasource Plugin,\u003cbr\u003eif Oauth passthrough is enabled on the datasource, and multiple users are using the same datasource at the same time on a single Grafana instance, it\u0026nbsp; could result in\u0026nbsp;\u003c/div\u003e\u003cdiv\u003ethe wrong user identifier being used, and information for which the viewer is not authorized being returned.\u0026nbsp;\u003c/div\u003e\u003cp\u003eThis issue affects Grafana Databricks Datasource Plugin: from 1.6.0 before 1.12.0\u0026nbsp;\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "When using the Grafana Databricks Datasource Plugin,\nif Oauth passthrough is enabled on the datasource, and multiple users are using the same datasource at the same time on a single Grafana instance, it\u00a0 could result in\u00a0\n\nthe wrong user identifier being used, and information for which the viewer is not authorized being returned.\u00a0\n\nThis issue affects Grafana Databricks Datasource Plugin: from 1.6.0 before 1.12.0"
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.1,
"baseSeverity": "LOW",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-653",
"description": "CWE-653",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-19T17:52:50.180Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"url": "https://grafana.com/security/security-advisories/cve-2025-41116/"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Incorrect oauth passthrough in Grafana Databricks Datasource",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2025-41116",
"datePublished": "2025-11-11T20:18:07.602Z",
"dateReserved": "2025-04-16T09:19:26.443Z",
"dateUpdated": "2025-11-19T17:52:50.180Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-41116\",\"sourceIdentifier\":\"security@grafana.com\",\"published\":\"2025-11-11T21:15:38.800\",\"lastModified\":\"2025-11-19T18:15:48.183\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"When using the Grafana Databricks Datasource Plugin,\\nif Oauth passthrough is enabled on the datasource, and multiple users are using the same datasource at the same time on a single Grafana instance, it\u00a0 could result in\u00a0\\n\\nthe wrong user identifier being used, and information for which the viewer is not authorized being returned.\u00a0\\n\\nThis issue affects Grafana Databricks Datasource Plugin: from 1.6.0 before 1.12.0\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security@grafana.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":2.1,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"PASSIVE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"LOW\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"security@grafana.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-653\"}]}],\"references\":[{\"url\":\"https://grafana.com/security/security-advisories/cve-2025-41116/\",\"source\":\"security@grafana.com\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-41116\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-11-12T21:44:41.624004Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-11-12T21:45:00.878Z\"}}], \"cna\": {\"title\": \"Incorrect oauth passthrough in Grafana Snowflake Datasource\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 2.1, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"LOW\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N\", \"exploitMaturity\": \"NOT_DEFINED\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"PASSIVE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"LOW\", \"vulnConfidentialityImpact\": \"NONE\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Grafana Labs\", \"product\": \"Grafana Databricks Datasource Plugin\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.6.0\", \"lessThan\": \"1.12.1\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://grafana.com/security/security-advisories/cve-2025-41116/\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.5.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"When using the Grafana Databricks Datasource Plugin,\\nif Oauth passthrough is enabled on the datasource, and multiple users are using the same datasource at the same time on a single Grafana instance, it\\u00a0 could result in\\u00a0\\n\\nthe wrong user identifier being used, and information for which the viewer is not authorized being returned.\\u00a0\\n\\nThis issue affects Grafana Databricks Datasource Plugin: from 1.12.1 before 1.12.0\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cdiv\u003eWhen using the Grafana Databricks Datasource Plugin,\u003cbr\u003eif Oauth passthrough is enabled on the datasource, and multiple users are using the same datasource at the same time on a single Grafana instance, it\u0026nbsp; could result in\u0026nbsp;\u003c/div\u003e\u003cdiv\u003ethe wrong user identifier being used, and information for which the viewer is not authorized being returned.\u0026nbsp;\u003c/div\u003e\u003cp\u003eThis issue affects Grafana Databricks Datasource Plugin: from 1.12.1 before 1.12.0\u0026nbsp;\u003cbr\u003e\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-653\", \"description\": \"CWE-653\"}]}], \"providerMetadata\": {\"orgId\": \"57da9224-a3e2-4646-9d0e-c4dc2e05e7da\", \"shortName\": \"GRAFANA\", \"dateUpdated\": \"2025-11-11T20:18:07.602Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-41116\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-11-12T21:45:13.287Z\", \"dateReserved\": \"2025-04-16T09:19:26.443Z\", \"assignerOrgId\": \"57da9224-a3e2-4646-9d0e-c4dc2e05e7da\", \"datePublished\": \"2025-11-11T20:18:07.602Z\", \"assignerShortName\": \"GRAFANA\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…