Описание
Security update for grafana
This update for grafana to version to 11.6.14+security01 fixes the following issues:
-
Security Fixes:
- CVE-2026-34986: Fixed unrecoverable error in JWE decryption that could lead to a denial of service (bsc#1262950)
- CVE-2026-41602: Fixed Integer Overflow or Wraparound vulnerability in Apache Thrift (bsc#1263501)
- CVE-2026-26958: Ensure that MultiScalarMult properly handles initialization and produces correct results (bsc#1258595)
- CVE-2026-21725: Fixed missing UID when deleting datasource by name (bsc#1258873)
- CVE-2026-33375: Fixed denial of Service via out-of-memory exhaustion in MSSQL data source plugin (bsc#1260881)
- CVE-2026-27876: Fixed remote arbitrary code execution via chained SQL Expressions (bsc#1261025)
- CVE-2026-27877: Fixed information disclosure of data-source passwords via public dashboards (bsc#1261026)
- CVE-2026-28375: Fixed denial of service via testdata data-source (bsc#1261029)
- CVE-2026-27879: Fixed denial of service via resample query (bsc#1261027)
- CVE-2026-33186: Fixed authorization bypass due to improper validation of the HTTP/2 :path pseudo-header (bsc#1260263)
- CVE-2026-21724: Fixed authorization bypass allows modification of protected webhook URLs (bsc#1260878)
-
Highlights of other changes and bug fixes:
-
Version 11.6.13:
- Wire the public dashboard service to the HTTP server
-
Version 11.6.12:
- Update authentication redirect logic
- Fixed single panel render with variable references
-
Список пакетов
SUSE Linux Enterprise Module for Package Hub 15 SP7
Ссылки
- Link for SUSE-SU-2026:2258-1
- E-Mail link for SUSE-SU-2026:2258-1
- SUSE Security Ratings
- SUSE Bug 1258595
- SUSE Bug 1258873
- SUSE Bug 1259999
- SUSE Bug 1260263
- SUSE Bug 1260878
- SUSE Bug 1260881
- SUSE Bug 1261025
- SUSE Bug 1261026
- SUSE Bug 1261027
- SUSE Bug 1261029
- SUSE Bug 1262950
- SUSE Bug 1263501
- SUSE CVE CVE-2025-29923 page
- SUSE CVE CVE-2026-21724 page
- SUSE CVE CVE-2026-21725 page
- SUSE CVE CVE-2026-26958 page
- SUSE CVE CVE-2026-27876 page
Описание
go-redis is the official Redis client library for the Go programming language. Prior to 9.5.5, 9.6.3, and 9.7.3, go-redis potentially responds out of order when `CLIENT SETINFO` times out during connection establishment. This can happen when the client is configured to transmit its identity, there are network connectivity issues, or the client was configured with aggressive timeouts. The problem occurs for multiple use cases. For sticky connections, you receive persistent out-of-order responses for the lifetime of the connection. All commands in the pipeline receive incorrect responses. When used with the default ConnPool once a connection is returned after use with ConnPool#Put the read buffer will be checked and the connection will be marked as bad due to the unread data. This means that at most one out-of-order response before the connection is discarded. This issue is fixed in 9.5.5, 9.6.3, and 9.7.3. You can prevent the vulnerability by setting the flag DisableIndentity to true when constructing the client instance.
Затронутые продукты
Ссылки
- CVE-2025-29923
- SUSE Bug 1241152
Описание
A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role to modify protected webhook URLs without the required alert.notifications.receivers.protected:write permission.
Затронутые продукты
Ссылки
- CVE-2026-21724
- SUSE Bug 1260878
Описание
A time-of-create-to-time-of-use (TOCTOU) vulnerability lets recently deleted-then-recreated data sources be re-deleted without permission to do so. This requires several very stringent conditions to be met: - The attacker must have admin access to the specific datasource prior to its first deletion. - Upon deletion, all steps within the attack must happen within the next 30 seconds and on the same pod of Grafana. - The attacker must delete the datasource, then someone must recreate it. - The new datasource must not have the attacker as an admin. - The new datasource must have the same UID as the prior datasource. These are randomised by default. - The datasource can now be re-deleted by the attacker. - Once 30 seconds are up, the attack is spent and cannot be repeated. - No datasource with any other UID can be attacked.
Затронутые продукты
Ссылки
- CVE-2026-21725
- SUSE Bug 1258873
Описание
filippo.io/edwards25519 is a Go library implementing the edwards25519 elliptic curve with APIs for building cryptographic primitives. In versions 1.1.0 and earlier, MultiScalarMult produces invalid results or undefined behavior if the receiver is not the identity point. If (*Point).MultiScalarMult is called on an initialized point that is not the identity point, it returns an incorrect result. If the method is called on an uninitialized point, the behavior is undefined. In particular, if the receiver is the zero value, MultiScalarMult returns an invalid point that compares Equal to every other point. Note that MultiScalarMult is a rarely used, advanced API. For example, users who depend on filippo.io/edwards25519 only through github.com/go-sql-driver/mysql are not affected. This issue has been fixed in version 1.1.1.
Затронутые продукты
Ссылки
- CVE-2026-26958
- SUSE Bug 1258570
Описание
A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impact (RCE). This is enabled by a feature in Grafana (OSS), so all users are always recommended to update to avoid future attack vectors going this path. Only instances with the sqlExpressions feature toggle enabled are vulnerable. Only instances in the following version ranges are affected: - 11.6.0 (inclusive) to 11.6.14 (exclusive): 11.6.14 has the fix. 11.5 and below are not affected. - 12.0.0 (inclusive) to 12.1.10 (exclusive): 12.1.10 has the fix. 12.0 did not receive an update, as it is end-of-life. - 12.2.0 (inclusive) to 12.2.8 (exclusive): 12.2.8 has the fix. - 12.3.0 (inclusive) to 12.3.6 (exclusive): 12.3.6 has the fix. - 12.4.0 (inclusive) to 12.4.2 (exclusive): 12.4.2 has the fix. 13.0.0 and above also have the fix: no v13 release is affected.
Затронутые продукты
Ссылки
- CVE-2026-27876
- SUSE Bug 1261025
Описание
When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards. No passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as possible to improve your deployments' security.
Затронутые продукты
Ссылки
- CVE-2026-27877
- SUSE Bug 1261026
Описание
A resample query can be used to trigger out-of-memory crashes in Grafana.
Затронутые продукты
Ссылки
- CVE-2026-27879
- SUSE Bug 1261027
Описание
A testdata data-source can be used to trigger out-of-memory crashes in Grafana.
Затронутые продукты
Ссылки
- CVE-2026-28375
- SUSE Bug 1261029
Описание
gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, "deny" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback "allow" rule was present. This affects gRPC-Go servers that use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`; AND that have a security policy contains specific "deny" rules for canonical paths but allows other requests by default (a fallback "allow" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server. The fix in version 1.79.3 ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: Use a validating interceptor (recommended mitigation); infrastructure-level normalization; and/or policy hardening.
Затронутые продукты
Ссылки
- CVE-2026-33186
- SUSE Bug 1260085
Описание
The Grafana MSSQL data source plugin contains a logic flaw that allows a low-privileged user (Viewer) to bypass API restrictions and trigger a catastrophic Out-Of-Memory (OOM) memory exhaustion, crashing the host container.
Затронутые продукты
Ссылки
- CVE-2026-33375
- SUSE Bug 1260881
Описание
Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JWE) object will panic if the alg field indicates a key wrapping algorithm (one ending in KW, with the exception of A128GCMKW, A192GCMKW, and A256GCMKW) and the encrypted_key field is empty. The panic happens when cipher.KeyUnwrap() in key_wrap.go attempts to allocate a slice with a zero or negative length based on the length of the encrypted_key. This code path is reachable from ParseEncrypted() / ParseEncryptedJSON() / ParseEncryptedCompact() followed by Decrypt() on the resulting object. Note that the parse functions take a list of accepted key algorithms. If the accepted key algorithms do not include any key wrapping algorithms, parsing will fail and the application will be unaffected. This panic is also reachable by calling cipher.KeyUnwrap() directly with any ciphertext parameter less than 16 bytes long, but calling this function directly is less common. Panics can lead to denial of service. This vulnerability is fixed in 4.1.4 and 3.0.5.
Затронутые продукты
Ссылки
- CVE-2026-34986
- SUSE Bug 1262805
Описание
Integer Overflow or Wraparound vulnerability in Apache Thrift TFramedTransport Go language implementation This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.
Затронутые продукты
Ссылки
- CVE-2026-41602
- SUSE Bug 1263496