Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2025-3415

Опубликовано: 24 июн. 2025
Источник: redhat
CVSS3: 4.3
EPSS Низкий

Описание

Grafana is an open-source platform for monitoring and observability. The Grafana Alerting DingDing integration was not properly protected and could be exposed to users with Viewer permission. Fixed in versions 10.4.19+security-01, 11.2.10+security-01, 11.3.7+security-01, 11.4.5+security-01, 11.5.5+security-01, 11.6.2+security-01 and 12.0.1+security-01

A flaw exists in Grafana Alerting, where the DingDing contact-point integration URL can be revealed in plain text to users with viewer-level permissions due to misconfigured access control. This disclosure permits unauthorized users to view sensitive webhook URLs, including API tokens or keys, without needing elevated privileges.

Отчет

The Grafana development team assessed this as a Medium severity information exposure issue. Viewer-role users can now access sensitive webhook URLs, enabling them to hijack or misuse notifications through the DingDing integration. The underlying cause is weak access control policies that do not restrict configuration data from lower-privileged roles.

Меры по смягчению последствий

Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux 10grafanaFix deferred
Red Hat Enterprise Linux 8grafanaFix deferred
Red Hat Enterprise Linux 9grafanaFix deferred

Показывать по

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-200
https://bugzilla.redhat.com/show_bug.cgi?id=2374538grafana: Exposure of DingDing alerting integration URL to Viewer level users

EPSS

Процентиль: 71%
0.00687
Низкий

4.3 Medium

CVSS3

Связанные уязвимости

CVSS3: 4.3
ubuntu
17 дней назад

Grafana is an open-source platform for monitoring and observability. The Grafana Alerting DingDing integration was not properly protected and could be exposed to users with Viewer permission. Fixed in versions 10.4.19+security-01, 11.2.10+security-01, 11.3.7+security-01, 11.4.5+security-01, 11.5.5+security-01, 11.6.2+security-01 and 12.0.1+security-01

CVSS3: 4.3
nvd
17 дней назад

Grafana is an open-source platform for monitoring and observability. The Grafana Alerting DingDing integration was not properly protected and could be exposed to users with Viewer permission. Fixed in versions 10.4.19+security-01, 11.2.10+security-01, 11.3.7+security-01, 11.4.5+security-01, 11.5.5+security-01, 11.6.2+security-01 and 12.0.1+security-01

CVSS3: 4.3
debian
17 дней назад

Grafana is an open-source platform for monitoring and observability. T ...

CVSS3: 4.3
github
17 дней назад

Grafana's insecure DingDing Alert integration exposes sensitive information

CVSS3: 4.3
fstec
18 дней назад

Уязвимость службы оповещения Alerts & IRM платформы для мониторинга и наблюдения Grafana, позволяющая нарушителю раскрыть защищаемую информацию

EPSS

Процентиль: 71%
0.00687
Низкий

4.3 Medium

CVSS3