Описание
Security update for grafana
This update for grafana fixes the following issues:
grafana was updated from version 11.5.5 to 11.5.10:
-
Security issues fixed:
- CVE-2025-64751: Dropped experimental implementation of authorization Zanzana server/client (version 11.5.10) (bsc#1254113)
- CVE-2025-47911: Fixed parsing HTML documents (version 11.5.10) (bsc#1251454)
- CVE-2025-58190: Fixed excessive memory consumption (version 11.5.10) (bsc#1251657)
- CVE-2025-11065: Fixed sensitive information leak in logs (version 11.5.9) (bsc#1250616)
- CVE-2025-6023: Fixed cross-site-scripting via scripted dashboards (version 11.5.7) (bsc#1246735)
- CVE-2025-6197: Fixed open redirect in organization switching (version 11.5.7) (bsc#1246736)
- CVE-2025-3415: Fixed exposure of DingDing alerting integration URL to Viewer level users (version 11.5.6) (bsc#1245302)
-
Other changes, new features and bugs fixed:
-
Version 11.5.10:
- Use forked wire from Grafana repository instead of external package (jsc#PED-14178)
- Auth: Fix render user OAuth passthrough.
- LDAP Authentication: Fix URL to propagate username context as parameter.
- Plugins: Dependencies do not inherit parent URL for preinstall.
-
Version 11.5.9:
- Auditing: Document new options for recording datasource query request/response body.
- Login: Fixed redirection after login when Grafana is served from subpath.
-
Version 11.5.7:
- Azure: Fixed legend formatting and resource name determination in template variable queries.
-
Список пакетов
SUSE Linux Enterprise Module for Package Hub 15 SP6
SUSE Linux Enterprise Module for Package Hub 15 SP7
openSUSE Leap 15.6
Ссылки
- Link for SUSE-SU-2025:4482-1
- E-Mail link for SUSE-SU-2025:4482-1
- SUSE Security Ratings
- SUSE Bug 1245302
- SUSE Bug 1246735
- SUSE Bug 1246736
- SUSE Bug 1250616
- SUSE Bug 1251454
- SUSE Bug 1251657
- SUSE Bug 1254113
- SUSE CVE CVE-2025-11065 page
- SUSE CVE CVE-2025-3415 page
- SUSE CVE CVE-2025-47911 page
- SUSE CVE CVE-2025-58190 page
- SUSE CVE CVE-2025-6023 page
- SUSE CVE CVE-2025-6197 page
- SUSE CVE CVE-2025-64751 page
Описание
unknown
Затронутые продукты
Ссылки
- CVE-2025-11065
- SUSE Bug 1250608
Описание
Grafana is an open-source platform for monitoring and observability. The Grafana Alerting DingDing integration was not properly protected and could be exposed to users with Viewer permission. Fixed in versions 10.4.19+security-01, 11.2.10+security-01, 11.3.7+security-01, 11.4.5+security-01, 11.5.5+security-01, 11.6.2+security-01 and 12.0.1+security-01
Затронутые продукты
Ссылки
- CVE-2025-3415
- SUSE Bug 1245302
Описание
unknown
Затронутые продукты
Ссылки
- CVE-2025-47911
- SUSE Bug 1251308
Описание
unknown
Затронутые продукты
Ссылки
- CVE-2025-58190
- SUSE Bug 1251309
Описание
An open redirect vulnerability has been identified in Grafana OSS that can be exploited to achieve XSS attacks. The vulnerability was introduced in Grafana v11.5.0. The open redirect can be chained with path traversal vulnerabilities to achieve XSS. Fixed in versions 12.0.2+security-01, 11.6.3+security-01, 11.5.6+security-01, 11.4.6+security-01 and 11.3.8+security-01
Затронутые продукты
Ссылки
- CVE-2025-6023
- SUSE Bug 1246735
Описание
An open redirect vulnerability has been identified in Grafana OSS organization switching functionality. Prerequisites for exploitation: - Multiple organizations must exist in the Grafana instance - Victim must be on a different organization than the one specified in the URL
Затронутые продукты
Ссылки
- CVE-2025-6197
- SUSE Bug 1246736
Описание
OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA v1.4.0 to v1.11.0 ( openfga-0.1.34 <= Helm chart <= openfga-0.2.48, v.1.4.0 <= docker <= v.1.11.0) are vulnerable to improper policy enforcement when certain Check and ListObject calls are executed. This issue has been patched in version 1.11.1.
Затронутые продукты
Ссылки
- CVE-2025-64751
- SUSE Bug 1254112