CVE-2025-3415
BaseFortify
Publication date: 2025-07-17
Last updated on: 2025-07-17
Assigner: Grafana Labs
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| grafana | grafana | 11.5.5 |
| grafana | grafana | 11.4.5 |
| grafana | grafana | 11.3.7 |
| grafana | grafana | 12.0.1 |
| grafana | grafana | 11.6.2 |
| grafana | grafana | 11.2.10 |
| grafana | grafana | 10.4.19 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Grafana involves the Alerting DingDing integration, which was not properly protected and could be accessed by users with only Viewer permissions, potentially exposing alerting functionality to unauthorized users.
How can this vulnerability impact me? :
The vulnerability could allow users with limited Viewer permissions to access or interact with the Alerting DingDing integration, potentially leading to unauthorized exposure or manipulation of alerting configurations, which may affect monitoring reliability or cause information disclosure.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update Grafana to one of the fixed versions: 10.4.19+security-01, 11.2.10+security-01, 11.3.7+security-01, 11.4.5+security-01, 11.5.5+security-01, 11.6.2+security-01, or 12.0.1+security-01. Additionally, review and restrict Viewer permission access to the DingDing alerting integration until the update is applied.