csaf_suse - suse-su-2025:4482-1

suse-su-2025:4482-1

Vulnerability from csaf_suse

Published

2025-12-18 12:22

Modified

2025-12-18 12:22

Summary

Security update for grafana

Notes

Title of the patch

Security update for grafana

Description of the patch

This update for grafana fixes the following issues: grafana was updated from version 11.5.5 to 11.5.10: - Security issues fixed: * CVE-2025-64751: Dropped experimental implementation of authorization Zanzana server/client (version 11.5.10) (bsc#1254113) * CVE-2025-47911: Fixed parsing HTML documents (version 11.5.10) (bsc#1251454) * CVE-2025-58190: Fixed excessive memory consumption (version 11.5.10) (bsc#1251657) * CVE-2025-11065: Fixed sensitive information leak in logs (version 11.5.9) (bsc#1250616) * CVE-2025-6023: Fixed cross-site-scripting via scripted dashboards (version 11.5.7) (bsc#1246735) * CVE-2025-6197: Fixed open redirect in organization switching (version 11.5.7) (bsc#1246736) * CVE-2025-3415: Fixed exposure of DingDing alerting integration URL to Viewer level users (version 11.5.6) (bsc#1245302) - Other changes, new features and bugs fixed: * Version 11.5.10: + Use forked wire from Grafana repository instead of external package (jsc#PED-14178) + Auth: Fix render user OAuth passthrough. + LDAP Authentication: Fix URL to propagate username context as parameter. + Plugins: Dependencies do not inherit parent URL for preinstall. * Version 11.5.9: + Auditing: Document new options for recording datasource query request/response body. + Login: Fixed redirection after login when Grafana is served from subpath. * Version 11.5.7: + Azure: Fixed legend formatting and resource name determination in template variable queries.

Patchnames

SUSE-2025-4482,SUSE-SLE-Module-Packagehub-Subpackages-15-SP6-2025-4482,SUSE-SLE-Module-Packagehub-Subpackages-15-SP7-2025-4482,openSUSE-SLE-15.6-2025-4482

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for grafana",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for grafana fixes the following issues:\n\ngrafana was updated from version 11.5.5 to 11.5.10:\n\n- Security issues fixed:\n\n  * CVE-2025-64751: Dropped experimental implementation of authorization Zanzana server/client (version 11.5.10)\n    (bsc#1254113)\n  * CVE-2025-47911: Fixed parsing HTML documents (version 11.5.10) (bsc#1251454)\n  * CVE-2025-58190: Fixed excessive memory consumption (version 11.5.10) (bsc#1251657)\n  * CVE-2025-11065: Fixed sensitive information leak in logs (version 11.5.9) (bsc#1250616)\n  * CVE-2025-6023: Fixed cross-site-scripting via scripted dashboards (version 11.5.7) (bsc#1246735)\n  * CVE-2025-6197: Fixed open redirect in organization switching (version 11.5.7) (bsc#1246736)\n  * CVE-2025-3415: Fixed exposure of DingDing alerting integration URL to Viewer level users (version 11.5.6)\n                   (bsc#1245302)\n\n- Other changes, new features and bugs fixed:\n\n  * Version 11.5.10:\n    + Use forked wire from Grafana repository instead of external package (jsc#PED-14178)\n    + Auth: Fix render user OAuth passthrough.\n    + LDAP Authentication: Fix URL to propagate username context as parameter.\n    + Plugins: Dependencies do not inherit parent URL for preinstall.\n\n  * Version 11.5.9:\n    + Auditing: Document new options for recording datasource query request/response body.\n    + Login: Fixed redirection after login when Grafana is served from subpath.\n\n  * Version 11.5.7:\n    + Azure: Fixed legend formatting and resource name determination in template variable queries.\n\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "SUSE-2025-4482,SUSE-SLE-Module-Packagehub-Subpackages-15-SP6-2025-4482,SUSE-SLE-Module-Packagehub-Subpackages-15-SP7-2025-4482,openSUSE-SLE-15.6-2025-4482",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2025_4482-1.json"
      },
      {
        "category": "self",
        "summary": "URL for SUSE-SU-2025:4482-1",
        "url": "https://www.suse.com/support/update/announcement/2025/suse-su-20254482-1/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for SUSE-SU-2025:4482-1",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-December/023614.html"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1245302",
        "url": "https://bugzilla.suse.com/1245302"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1246735",
        "url": "https://bugzilla.suse.com/1246735"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1246736",
        "url": "https://bugzilla.suse.com/1246736"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1250616",
        "url": "https://bugzilla.suse.com/1250616"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1251454",
        "url": "https://bugzilla.suse.com/1251454"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1251657",
        "url": "https://bugzilla.suse.com/1251657"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1254113",
        "url": "https://bugzilla.suse.com/1254113"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-11065 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-11065/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-3415 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-3415/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-47911 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-47911/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-58190 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-58190/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-6023 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-6023/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-6197 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-6197/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-64751 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-64751/"
      }
    ],
    "title": "Security update for grafana",
    "tracking": {
      "current_release_date": "2025-12-18T12:22:20Z",
      "generator": {
        "date": "2025-12-18T12:22:20Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "SUSE-SU-2025:4482-1",
      "initial_release_date": "2025-12-18T12:22:20Z",
      "revision_history": [
        {
          "date": "2025-12-18T12:22:20Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "grafana-11.5.10-150200.3.80.1.aarch64",
                "product": {
                  "name": "grafana-11.5.10-150200.3.80.1.aarch64",
                  "product_id": "grafana-11.5.10-150200.3.80.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "grafana-11.5.10-150200.3.80.1.ppc64le",
                "product": {
                  "name": "grafana-11.5.10-150200.3.80.1.ppc64le",
                  "product_id": "grafana-11.5.10-150200.3.80.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "grafana-11.5.10-150200.3.80.1.s390x",
                "product": {
                  "name": "grafana-11.5.10-150200.3.80.1.s390x",
                  "product_id": "grafana-11.5.10-150200.3.80.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "grafana-11.5.10-150200.3.80.1.x86_64",
                "product": {
                  "name": "grafana-11.5.10-150200.3.80.1.x86_64",
                  "product_id": "grafana-11.5.10-150200.3.80.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Module for Package Hub 15 SP6",
                "product": {
                  "name": "SUSE Linux Enterprise Module for Package Hub 15 SP6",
                  "product_id": "SUSE Linux Enterprise Module for Package Hub 15 SP6",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:packagehub:15:sp6"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Module for Package Hub 15 SP7",
                "product": {
                  "name": "SUSE Linux Enterprise Module for Package Hub 15 SP7",
                  "product_id": "SUSE Linux Enterprise Module for Package Hub 15 SP7",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:packagehub:15:sp7"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "openSUSE Leap 15.6",
                "product": {
                  "name": "openSUSE Leap 15.6",
                  "product_id": "openSUSE Leap 15.6",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:leap:15.6"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "grafana-11.5.10-150200.3.80.1.aarch64 as component of SUSE Linux Enterprise Module for Package Hub 15 SP6",
          "product_id": "SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1.aarch64"
        },
        "product_reference": "grafana-11.5.10-150200.3.80.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Package Hub 15 SP6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "grafana-11.5.10-150200.3.80.1.ppc64le as component of SUSE Linux Enterprise Module for Package Hub 15 SP6",
          "product_id": "SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1.ppc64le"
        },
        "product_reference": "grafana-11.5.10-150200.3.80.1.ppc64le",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Package Hub 15 SP6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "grafana-11.5.10-150200.3.80.1.s390x as component of SUSE Linux Enterprise Module for Package Hub 15 SP6",
          "product_id": "SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1.s390x"
        },
        "product_reference": "grafana-11.5.10-150200.3.80.1.s390x",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Package Hub 15 SP6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "grafana-11.5.10-150200.3.80.1.x86_64 as component of SUSE Linux Enterprise Module for Package Hub 15 SP6",
          "product_id": "SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1.x86_64"
        },
        "product_reference": "grafana-11.5.10-150200.3.80.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Package Hub 15 SP6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "grafana-11.5.10-150200.3.80.1.aarch64 as component of SUSE Linux Enterprise Module for Package Hub 15 SP7",
          "product_id": "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1.aarch64"
        },
        "product_reference": "grafana-11.5.10-150200.3.80.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Package Hub 15 SP7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "grafana-11.5.10-150200.3.80.1.ppc64le as component of SUSE Linux Enterprise Module for Package Hub 15 SP7",
          "product_id": "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1.ppc64le"
        },
        "product_reference": "grafana-11.5.10-150200.3.80.1.ppc64le",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Package Hub 15 SP7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "grafana-11.5.10-150200.3.80.1.s390x as component of SUSE Linux Enterprise Module for Package Hub 15 SP7",
          "product_id": "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1.s390x"
        },
        "product_reference": "grafana-11.5.10-150200.3.80.1.s390x",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Package Hub 15 SP7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "grafana-11.5.10-150200.3.80.1.x86_64 as component of SUSE Linux Enterprise Module for Package Hub 15 SP7",
          "product_id": "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1.x86_64"
        },
        "product_reference": "grafana-11.5.10-150200.3.80.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Package Hub 15 SP7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "grafana-11.5.10-150200.3.80.1.aarch64 as component of openSUSE Leap 15.6",
          "product_id": "openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1.aarch64"
        },
        "product_reference": "grafana-11.5.10-150200.3.80.1.aarch64",
        "relates_to_product_reference": "openSUSE Leap 15.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "grafana-11.5.10-150200.3.80.1.ppc64le as component of openSUSE Leap 15.6",
          "product_id": "openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1.ppc64le"
        },
        "product_reference": "grafana-11.5.10-150200.3.80.1.ppc64le",
        "relates_to_product_reference": "openSUSE Leap 15.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "grafana-11.5.10-150200.3.80.1.s390x as component of openSUSE Leap 15.6",
          "product_id": "openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1.s390x"
        },
        "product_reference": "grafana-11.5.10-150200.3.80.1.s390x",
        "relates_to_product_reference": "openSUSE Leap 15.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "grafana-11.5.10-150200.3.80.1.x86_64 as component of openSUSE Leap 15.6",
          "product_id": "openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1.x86_64"
        },
        "product_reference": "grafana-11.5.10-150200.3.80.1.x86_64",
        "relates_to_product_reference": "openSUSE Leap 15.6"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-11065",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-11065"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "unknown",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1.aarch64",
          "SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1.ppc64le",
          "SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1.s390x",
          "SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1.x86_64",
          "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1.aarch64",
          "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1.ppc64le",
          "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1.s390x",
          "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1.x86_64",
          "openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1.aarch64",
          "openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1.ppc64le",
          "openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1.s390x",
          "openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-11065",
          "url": "https://www.suse.com/security/cve/CVE-2025-11065"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1250608 for CVE-2025-11065",
          "url": "https://bugzilla.suse.com/1250608"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1.aarch64",
            "SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1.ppc64le",
            "SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1.s390x",
            "SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1.x86_64",
            "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1.aarch64",
            "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1.ppc64le",
            "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1.s390x",
            "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1.x86_64",
            "openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1.aarch64",
            "openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1.ppc64le",
            "openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1.s390x",
            "openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 4.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1.aarch64",
            "SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1.ppc64le",
            "SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1.s390x",
            "SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1.x86_64",
            "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1.aarch64",
            "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1.ppc64le",
            "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1.s390x",
            "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1.x86_64",
            "openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1.aarch64",
            "openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1.ppc64le",
            "openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1.s390x",
            "openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-12-18T12:22:20Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2025-11065"
    },
    {
      "cve": "CVE-2025-3415",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-3415"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Grafana is an open-source platform for monitoring and observability. The Grafana Alerting DingDing integration was not properly protected and could be exposed to users with Viewer permission. \nFixed in versions 10.4.19+security-01, 11.2.10+security-01, 11.3.7+security-01, 11.4.5+security-01, 11.5.5+security-01, 11.6.2+security-01 and 12.0.1+security-01",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1.aarch64",
          "SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1.ppc64le",
          "SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1.s390x",
          "SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1.x86_64",
          "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1.aarch64",
          "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1.ppc64le",
          "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1.s390x",
          "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1.x86_64",
          "openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1.aarch64",
          "openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1.ppc64le",
          "openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1.s390x",
          "openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-3415",
          "url": "https://www.suse.com/security/cve/CVE-2025-3415"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1245302 for CVE-2025-3415",
          "url": "https://bugzilla.suse.com/1245302"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1.aarch64",
            "SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1.ppc64le",
            "SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1.s390x",
            "SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1.x86_64",
            "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1.aarch64",
            "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1.ppc64le",
            "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1.s390x",
            "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1.x86_64",
            "openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1.aarch64",
            "openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1.ppc64le",
            "openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1.s390x",
            "openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1.aarch64",
            "SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1.ppc64le",
            "SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1.s390x",
            "SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1.x86_64",
            "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1.aarch64",
            "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1.ppc64le",
            "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1.s390x",
            "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1.x86_64",
            "openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1.aarch64",
            "openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1.ppc64le",
            "openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1.s390x",
            "openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-12-18T12:22:20Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2025-3415"
    },
    {
      "cve": "CVE-2025-47911",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-47911"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "unknown",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1.aarch64",
          "SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1.ppc64le",
          "SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1.s390x",
          "SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1.x86_64",
          "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1.aarch64",
          "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1.ppc64le",
          "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1.s390x",
          "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1.x86_64",
          "openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1.aarch64",
          "openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1.ppc64le",
          "openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1.s390x",
          "openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-47911",
          "url": "https://www.suse.com/security/cve/CVE-2025-47911"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1251308 for CVE-2025-47911",
          "url": "https://bugzilla.suse.com/1251308"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1.aarch64",
            "SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1.ppc64le",
            "SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1.s390x",
            "SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1.x86_64",
            "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1.aarch64",
            "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1.ppc64le",
            "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1.s390x",
            "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1.x86_64",
            "openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1.aarch64",
            "openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1.ppc64le",
            "openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1.s390x",
            "openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1.aarch64",
            "SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1.ppc64le",
            "SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1.s390x",
            "SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1.x86_64",
            "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1.aarch64",
            "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1.ppc64le",
            "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1.s390x",
            "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1.x86_64",
            "openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1.aarch64",
            "openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1.ppc64le",
            "openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1.s390x",
            "openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-12-18T12:22:20Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2025-47911"
    },
    {
      "cve": "CVE-2025-58190",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-58190"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "unknown",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1.aarch64",
          "SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1.ppc64le",
          "SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1.s390x",
          "SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1.x86_64",
          "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1.aarch64",
          "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1.ppc64le",
          "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1.s390x",
          "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1.x86_64",
          "openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1.aarch64",
          "openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1.ppc64le",
          "openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1.s390x",
          "openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-58190",
          "url": "https://www.suse.com/security/cve/CVE-2025-58190"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1251309 for CVE-2025-58190",
          "url": "https://bugzilla.suse.com/1251309"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1.aarch64",
            "SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1.ppc64le",
            "SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1.s390x",
            "SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1.x86_64",
            "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1.aarch64",
            "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1.ppc64le",
            "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1.s390x",
            "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1.x86_64",
            "openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1.aarch64",
            "openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1.ppc64le",
            "openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1.s390x",
            "openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1.aarch64",
            "SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1.ppc64le",
            "SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1.s390x",
            "SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1.x86_64",
            "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1.aarch64",
            "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1.ppc64le",
            "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1.s390x",
            "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1.x86_64",
            "openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1.aarch64",
            "openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1.ppc64le",
            "openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1.s390x",
            "openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-12-18T12:22:20Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2025-58190"
    },
    {
      "cve": "CVE-2025-6023",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-6023"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "An open redirect vulnerability has been identified in Grafana OSS that can be exploited to achieve XSS attacks. The vulnerability was introduced in Grafana v11.5.0.\n\nThe open redirect can be chained with path traversal vulnerabilities to achieve XSS.\n\nFixed in versions 12.0.2+security-01, 11.6.3+security-01, 11.5.6+security-01, 11.4.6+security-01 and 11.3.8+security-01",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1.aarch64",
          "SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1.ppc64le",
          "SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1.s390x",
          "SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1.x86_64",
          "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1.aarch64",
          "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1.ppc64le",
          "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1.s390x",
          "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1.x86_64",
          "openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1.aarch64",
          "openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1.ppc64le",
          "openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1.s390x",
          "openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-6023",
          "url": "https://www.suse.com/security/cve/CVE-2025-6023"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1246735 for CVE-2025-6023",
          "url": "https://bugzilla.suse.com/1246735"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1.aarch64",
            "SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1.ppc64le",
            "SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1.s390x",
            "SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1.x86_64",
            "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1.aarch64",
            "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1.ppc64le",
            "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1.s390x",
            "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1.x86_64",
            "openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1.aarch64",
            "openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1.ppc64le",
            "openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1.s390x",
            "openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.6,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1.aarch64",
            "SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1.ppc64le",
            "SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1.s390x",
            "SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1.x86_64",
            "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1.aarch64",
            "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1.ppc64le",
            "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1.s390x",
            "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1.x86_64",
            "openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1.aarch64",
            "openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1.ppc64le",
            "openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1.s390x",
            "openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-12-18T12:22:20Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-6023"
    },
    {
      "cve": "CVE-2025-6197",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-6197"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "An open redirect vulnerability has been identified in Grafana OSS organization switching functionality.\n\n\nPrerequisites for exploitation:\n\n- Multiple organizations must exist in the Grafana instance\n\n- Victim must be on a different organization than the one specified in the URL",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1.aarch64",
          "SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1.ppc64le",
          "SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1.s390x",
          "SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1.x86_64",
          "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1.aarch64",
          "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1.ppc64le",
          "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1.s390x",
          "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1.x86_64",
          "openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1.aarch64",
          "openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1.ppc64le",
          "openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1.s390x",
          "openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-6197",
          "url": "https://www.suse.com/security/cve/CVE-2025-6197"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1246736 for CVE-2025-6197",
          "url": "https://bugzilla.suse.com/1246736"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1.aarch64",
            "SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1.ppc64le",
            "SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1.s390x",
            "SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1.x86_64",
            "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1.aarch64",
            "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1.ppc64le",
            "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1.s390x",
            "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1.x86_64",
            "openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1.aarch64",
            "openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1.ppc64le",
            "openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1.s390x",
            "openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 4.2,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1.aarch64",
            "SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1.ppc64le",
            "SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1.s390x",
            "SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1.x86_64",
            "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1.aarch64",
            "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1.ppc64le",
            "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1.s390x",
            "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1.x86_64",
            "openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1.aarch64",
            "openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1.ppc64le",
            "openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1.s390x",
            "openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-12-18T12:22:20Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2025-6197"
    },
    {
      "cve": "CVE-2025-64751",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-64751"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA v1.4.0 to v1.11.0 ( openfga-0.1.34 \u003c= Helm chart \u003c= openfga-0.2.48, v.1.4.0 \u003c= docker \u003c= v.1.11.0) are vulnerable to improper policy enforcement when certain Check and ListObject calls are executed. This issue has been patched in version 1.11.1.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1.aarch64",
          "SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1.ppc64le",
          "SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1.s390x",
          "SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1.x86_64",
          "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1.aarch64",
          "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1.ppc64le",
          "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1.s390x",
          "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1.x86_64",
          "openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1.aarch64",
          "openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1.ppc64le",
          "openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1.s390x",
          "openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-64751",
          "url": "https://www.suse.com/security/cve/CVE-2025-64751"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1254112 for CVE-2025-64751",
          "url": "https://bugzilla.suse.com/1254112"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1.aarch64",
            "SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1.ppc64le",
            "SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1.s390x",
            "SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1.x86_64",
            "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1.aarch64",
            "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1.ppc64le",
            "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1.s390x",
            "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1.x86_64",
            "openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1.aarch64",
            "openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1.ppc64le",
            "openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1.s390x",
            "openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1.aarch64",
            "SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1.ppc64le",
            "SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1.s390x",
            "SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1.x86_64",
            "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1.aarch64",
            "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1.ppc64le",
            "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1.s390x",
            "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1.x86_64",
            "openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1.aarch64",
            "openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1.ppc64le",
            "openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1.s390x",
            "openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-12-18T12:22:20Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-64751"
    }
  ]
}

CVE-2025-64751 (GCVE-0-2025-64751)

Vulnerability from cvelistv5

Published

2025-11-21 01:24

Modified

2025-11-24 18:11

Severity ?

5.8 (Medium) - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H

CWE

CWE-285 - Improper Authorization

Summary

OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA v1.4.0 to v1.11.0 ( openfga-0.1.34 <= Helm chart <= openfga-0.2.48, v.1.4.0 <= docker <= v.1.11.0) are vulnerable to improper policy enforcement when certain Check and ListObject calls are executed. This issue has been patched in version 1.11.1.

References

URL

Tags

	https://github.com/openfga/openfga/security/advisories/GHSA-2c64-vmv2-hgfc	x_refsource_CONFIRM
	https://github.com/openfga/openfga/releases/tag/v1.11.1	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	openfga	openfga	Version: >= 1.4.0, < 1.11.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-64751",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-11-24T17:06:17.599165Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-11-24T18:11:03.949Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "openfga",
          "vendor": "openfga",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.4.0, \u003c 1.11.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA v1.4.0 to v1.11.0 ( openfga-0.1.34 \u003c= Helm chart \u003c= openfga-0.2.48, v.1.4.0 \u003c= docker \u003c= v.1.11.0) are vulnerable to improper policy enforcement when certain Check and ListObject calls are executed. This issue has been patched in version 1.11.1."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 5.8,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-285",
              "description": "CWE-285: Improper Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-11-21T01:24:32.509Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/openfga/openfga/security/advisories/GHSA-2c64-vmv2-hgfc",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/openfga/openfga/security/advisories/GHSA-2c64-vmv2-hgfc"
        },
        {
          "name": "https://github.com/openfga/openfga/releases/tag/v1.11.1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/openfga/openfga/releases/tag/v1.11.1"
        }
      ],
      "source": {
        "advisory": "GHSA-2c64-vmv2-hgfc",
        "discovery": "UNKNOWN"
      },
      "title": "OpenFGA Improper Policy Enforcement"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-64751",
    "datePublished": "2025-11-21T01:24:32.509Z",
    "dateReserved": "2025-11-10T22:29:34.873Z",
    "dateUpdated": "2025-11-24T18:11:03.949Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-3415 (GCVE-0-2025-3415)

Vulnerability from cvelistv5

Published

2025-07-17 10:13

Modified

2025-07-17 14:05

Severity ?

4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor

Summary

Grafana is an open-source platform for monitoring and observability. The Grafana Alerting DingDing integration was not properly protected and could be exposed to users with Viewer permission. Fixed in versions 10.4.19+security-01, 11.2.10+security-01, 11.3.7+security-01, 11.4.5+security-01, 11.5.5+security-01, 11.6.2+security-01 and 12.0.1+security-01

References

URL

Tags

https://grafana.com/security/security-advisories/cve-2025-3415

vendor-advisory

Impacted products

	Vendor	Product	Version
	Grafana	Grafana	Version: 10.4.x ≤ Version: 11.2.x ≤ Version: 11.3.x ≤ Version: 11.4.x ≤ Version: 11.5.x ≤ Version: 11.6.x ≤ Version: 12.0.x ≤

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-3415",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-17T14:05:03.257904Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-17T14:05:19.284Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Grafana",
          "vendor": "Grafana",
          "versions": [
            {
              "lessThan": "10.4.19+security-01",
              "status": "affected",
              "version": "10.4.x",
              "versionType": "semver"
            },
            {
              "lessThan": "11.2.10+security-01",
              "status": "affected",
              "version": "11.2.x",
              "versionType": "semver"
            },
            {
              "lessThan": "11.3.7+security-01",
              "status": "affected",
              "version": "11.3.x",
              "versionType": "semver"
            },
            {
              "lessThan": "11.4.5+security-01",
              "status": "affected",
              "version": "11.4.x",
              "versionType": "semver"
            },
            {
              "lessThan": "11.5.5+security-01",
              "status": "affected",
              "version": "11.5.x",
              "versionType": "semver"
            },
            {
              "lessThan": "11.6.2+security-01",
              "status": "affected",
              "version": "11.6.x",
              "versionType": "semver"
            },
            {
              "lessThan": "12.0.1+security-01",
              "status": "affected",
              "version": "12.0.x",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Saurabh Banawar"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Grafana is an open-source platform for monitoring and observability. The Grafana Alerting DingDing integration was not properly protected and could be exposed to users with Viewer permission. \u003cbr\u003eFixed in versions 10.4.19+security-01, 11.2.10+security-01, 11.3.7+security-01, 11.4.5+security-01, 11.5.5+security-01, 11.6.2+security-01 and 12.0.1+security-01"
            }
          ],
          "value": "Grafana is an open-source platform for monitoring and observability. The Grafana Alerting DingDing integration was not properly protected and could be exposed to users with Viewer permission. \nFixed in versions 10.4.19+security-01, 11.2.10+security-01, 11.3.7+security-01, 11.4.5+security-01, 11.5.5+security-01, 11.6.2+security-01 and 12.0.1+security-01"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "other": {
            "content": {
              "Automatable": "No",
              "Exploitation": "None",
              "Technical Impact": "None",
              "Value Density": "Diffused"
            },
            "type": "SSVCv2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-17T10:30:00.918Z",
        "orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
        "shortName": "GRAFANA"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://grafana.com/security/security-advisories/cve-2025-3415"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
    "assignerShortName": "GRAFANA",
    "cveId": "CVE-2025-3415",
    "datePublished": "2025-07-17T10:13:14.717Z",
    "dateReserved": "2025-04-07T14:28:18.797Z",
    "dateUpdated": "2025-07-17T14:05:19.284Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-6197 (GCVE-0-2025-6197)

Vulnerability from cvelistv5

Published

2025-07-18 07:48

Modified

2025-07-18 13:46

Severity ?

4.2 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

CWE

CWE-601

Summary

An open redirect vulnerability has been identified in Grafana OSS organization switching functionality. Prerequisites for exploitation: - Multiple organizations must exist in the Grafana instance - Victim must be on a different organization than the one specified in the URL

References

URL

Tags

	https://grafana.com/security/security-advisories/cve-2025-6197/	vendor-advisory
	https://grafana.com/blog/2025/07/17/grafana-security-release-medium-and-high-severity-fixes-for-cve-2025-6197-and-cve-2025-6023/	mitigation, release-notes

Impacted products

	Vendor	Product	Version
	Grafana	Grafana	Version: 12.0.x ≤ Version: 11.6.x ≤ Version: 11.5.x ≤ Version: 11.4.x ≤ Version: 11.3.x ≤

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-6197",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-18T13:45:54.505880Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-18T13:46:01.307Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Grafana",
          "vendor": "Grafana",
          "versions": [
            {
              "lessThan": "12.0.2+security-01",
              "status": "affected",
              "version": "12.0.x",
              "versionType": "semver"
            },
            {
              "lessThan": "11.6.3+security-01",
              "status": "affected",
              "version": "11.6.x",
              "versionType": "semver"
            },
            {
              "lessThan": "11.5.6+security-01",
              "status": "affected",
              "version": "11.5.x",
              "versionType": "semver"
            },
            {
              "lessThan": "11.4.6+security-01",
              "status": "affected",
              "version": "11.4.x",
              "versionType": "semver"
            },
            {
              "lessThan": "11.3.8+security-01",
              "status": "affected",
              "version": "11.3.x",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Dat Phung"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eAn open redirect vulnerability has been identified in Grafana OSS organization switching functionality.\u003cbr\u003e\u003c/p\u003e\u003cp\u003ePrerequisites for exploitation:\u003c/p\u003e\u003cp\u003e- Multiple organizations must exist in the Grafana instance\u003c/p\u003e\u003cp\u003e- Victim must be on a different organization than the one specified in the URL\u003c/p\u003e\u003cp\u003e\u003cbr\u003e\u003c/p\u003e"
            }
          ],
          "value": "An open redirect vulnerability has been identified in Grafana OSS organization switching functionality.\n\n\nPrerequisites for exploitation:\n\n- Multiple organizations must exist in the Grafana instance\n\n- Victim must be on a different organization than the one specified in the URL"
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-194",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-194"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.2,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-601",
              "description": "CWE-601",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-18T07:49:16.382Z",
        "orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
        "shortName": "GRAFANA"
      },
      "references": [
        {
          "name": "Vulnerable code location",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://grafana.com/security/security-advisories/cve-2025-6197/"
        },
        {
          "tags": [
            "mitigation",
            "release-notes"
          ],
          "url": "https://grafana.com/blog/2025/07/17/grafana-security-release-medium-and-high-severity-fixes-for-cve-2025-6197-and-cve-2025-6023/"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
    "assignerShortName": "GRAFANA",
    "cveId": "CVE-2025-6197",
    "datePublished": "2025-07-18T07:48:22.523Z",
    "dateReserved": "2025-06-17T07:22:18.547Z",
    "dateUpdated": "2025-07-18T13:46:01.307Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-6023 (GCVE-0-2025-6023)

Vulnerability from cvelistv5

Published

2025-07-18 07:48

Modified

2025-07-18 13:46

Severity ?

7.6 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L

CWE

Summary

An open redirect vulnerability has been identified in Grafana OSS that can be exploited to achieve XSS attacks. The vulnerability was introduced in Grafana v11.5.0. The open redirect can be chained with path traversal vulnerabilities to achieve XSS. Fixed in versions 12.0.2+security-01, 11.6.3+security-01, 11.5.6+security-01, 11.4.6+security-01 and 11.3.8+security-01

References

URL

Tags

	https://grafana.com/security/security-advisories/cve-2025-6023/	vendor-advisory
	https://grafana.com/blog/2025/07/17/grafana-security-release-medium-and-high-severity-fixes-for-cve-2025-6197-and-cve-2025-6023/	release-notes, mitigation

Impacted products

	Vendor	Product	Version
	Grafana	Grafana	Version: 12.0.x ≤ Version: 11.6.x ≤ Version: 11.5.x ≤ Version: 11.4.x ≤ Version: 11.3.x ≤

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-6023",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-18T13:46:38.999015Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-18T13:46:45.354Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Grafana",
          "vendor": "Grafana",
          "versions": [
            {
              "lessThan": "12.0.2+security-01",
              "status": "affected",
              "version": "12.0.x",
              "versionType": "semver"
            },
            {
              "lessThan": "11.6.3+security-01",
              "status": "affected",
              "version": "11.6.x",
              "versionType": "semver"
            },
            {
              "lessThan": "11.5.6+security-01",
              "status": "affected",
              "version": "11.5.x",
              "versionType": "semver"
            },
            {
              "lessThan": "11.4.6+security-01",
              "status": "affected",
              "version": "11.4.x",
              "versionType": "semver"
            },
            {
              "lessThan": "11.3.8+security-01",
              "status": "affected",
              "version": "11.3.x",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Hoa X. Nguyen"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eAn open redirect vulnerability has been identified in Grafana OSS that can be exploited to achieve XSS attacks. The vulnerability was introduced in Grafana v11.5.0.\u003c/p\u003e\u003cp\u003eThe open redirect can be chained with path traversal vulnerabilities to achieve XSS.\u003cbr\u003e\u003cbr\u003eFixed in versions 12.0.2+security-01, 11.6.3+security-01, 11.5.6+security-01, 11.4.6+security-01 and 11.3.8+security-01\u003c/p\u003e"
            }
          ],
          "value": "An open redirect vulnerability has been identified in Grafana OSS that can be exploited to achieve XSS attacks. The vulnerability was introduced in Grafana v11.5.0.\n\nThe open redirect can be chained with path traversal vulnerabilities to achieve XSS.\n\nFixed in versions 12.0.2+security-01, 11.6.3+security-01, 11.5.6+security-01, 11.4.6+security-01 and 11.3.8+security-01"
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-194",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-194"
            }
          ]
        },
        {
          "capecId": "CAPEC-209",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-209"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.6,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-601",
              "description": "CWE-601",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-18T07:49:54.804Z",
        "orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
        "shortName": "GRAFANA"
      },
      "references": [
        {
          "name": "Security vulnerability management issue",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://grafana.com/security/security-advisories/cve-2025-6023/"
        },
        {
          "tags": [
            "release-notes",
            "mitigation"
          ],
          "url": "https://grafana.com/blog/2025/07/17/grafana-security-release-medium-and-high-severity-fixes-for-cve-2025-6197-and-cve-2025-6023/"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
    "assignerShortName": "GRAFANA",
    "cveId": "CVE-2025-6023",
    "datePublished": "2025-07-18T07:48:15.972Z",
    "dateReserved": "2025-06-12T07:05:20.773Z",
    "dateUpdated": "2025-07-18T13:46:45.354Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

suse-su-2025:4482-1

Vulnerability from csaf_suse

CVE-2025-64751 (GCVE-0-2025-64751)

Vulnerability from cvelistv5

CVE-2025-3415 (GCVE-0-2025-3415)

Vulnerability from cvelistv5

CVE-2025-6197 (GCVE-0-2025-6197)

Vulnerability from cvelistv5

CVE-2025-6023 (GCVE-0-2025-6023)

Vulnerability from cvelistv5

Tags

Sightings

Nomenclature