Security update for grafana SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:4482-1 Final 1 1 2025-12-18T12:22:20Z current 2025-12-18T12:22:20Z 2025-12-18T12:22:20Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for grafana This update for grafana fixes the following issues: grafana was updated from version 11.5.5 to 11.5.10: - Security issues fixed: * CVE-2025-64751: Dropped experimental implementation of authorization Zanzana server/client (version 11.5.10) (bsc#1254113) * CVE-2025-47911: Fixed parsing HTML documents (version 11.5.10) (bsc#1251454) * CVE-2025-58190: Fixed excessive memory consumption (version 11.5.10) (bsc#1251657) * CVE-2025-11065: Fixed sensitive information leak in logs (version 11.5.9) (bsc#1250616) * CVE-2025-6023: Fixed cross-site-scripting via scripted dashboards (version 11.5.7) (bsc#1246735) * CVE-2025-6197: Fixed open redirect in organization switching (version 11.5.7) (bsc#1246736) * CVE-2025-3415: Fixed exposure of DingDing alerting integration URL to Viewer level users (version 11.5.6) (bsc#1245302) - Other changes, new features and bugs fixed: * Version 11.5.10: + Use forked wire from Grafana repository instead of external package (jsc#PED-14178) + Auth: Fix render user OAuth passthrough. + LDAP Authentication: Fix URL to propagate username context as parameter. + Plugins: Dependencies do not inherit parent URL for preinstall. * Version 11.5.9: + Auditing: Document new options for recording datasource query request/response body. + Login: Fixed redirection after login when Grafana is served from subpath. * Version 11.5.7: + Azure: Fixed legend formatting and resource name determination in template variable queries. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2025-4482,SUSE-SLE-Module-Packagehub-Subpackages-15-SP6-2025-4482,SUSE-SLE-Module-Packagehub-Subpackages-15-SP7-2025-4482,openSUSE-SLE-15.6-2025-4482 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-20254482-1/ Link for SUSE-SU-2025:4482-1 https://lists.suse.com/pipermail/sle-security-updates/2025-December/023614.html E-Mail link for SUSE-SU-2025:4482-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1245302 SUSE Bug 1245302 https://bugzilla.suse.com/1246735 SUSE Bug 1246735 https://bugzilla.suse.com/1246736 SUSE Bug 1246736 https://bugzilla.suse.com/1250616 SUSE Bug 1250616 https://bugzilla.suse.com/1251454 SUSE Bug 1251454 https://bugzilla.suse.com/1251657 SUSE Bug 1251657 https://bugzilla.suse.com/1254113 SUSE Bug 1254113 https://www.suse.com/security/cve/CVE-2025-11065/ SUSE CVE CVE-2025-11065 page https://www.suse.com/security/cve/CVE-2025-3415/ SUSE CVE CVE-2025-3415 page https://www.suse.com/security/cve/CVE-2025-47911/ SUSE CVE CVE-2025-47911 page https://www.suse.com/security/cve/CVE-2025-58190/ SUSE CVE CVE-2025-58190 page https://www.suse.com/security/cve/CVE-2025-6023/ SUSE CVE CVE-2025-6023 page https://www.suse.com/security/cve/CVE-2025-6197/ SUSE CVE CVE-2025-6197 page https://www.suse.com/security/cve/CVE-2025-64751/ SUSE CVE CVE-2025-64751 page SUSE Linux Enterprise Module for Package Hub 15 SP6 SUSE Linux Enterprise Module for Package Hub 15 SP7 openSUSE Leap 15.6 grafana-11.5.10-150200.3.80.1 grafana-11.5.10-150200.3.80.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP6 grafana-11.5.10-150200.3.80.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP7 grafana-11.5.10-150200.3.80.1 as a component of openSUSE Leap 15.6 unknown CVE-2025-11065 SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1 SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1 openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20254482-1/ https://www.suse.com/security/cve/CVE-2025-11065.html CVE-2025-11065 https://bugzilla.suse.com/1250608 SUSE Bug 1250608 Grafana is an open-source platform for monitoring and observability. The Grafana Alerting DingDing integration was not properly protected and could be exposed to users with Viewer permission. Fixed in versions 10.4.19+security-01, 11.2.10+security-01, 11.3.7+security-01, 11.4.5+security-01, 11.5.5+security-01, 11.6.2+security-01 and 12.0.1+security-01 CVE-2025-3415 SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1 SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1 openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20254482-1/ https://www.suse.com/security/cve/CVE-2025-3415.html CVE-2025-3415 https://bugzilla.suse.com/1245302 SUSE Bug 1245302 unknown CVE-2025-47911 SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1 SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1 openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20254482-1/ https://www.suse.com/security/cve/CVE-2025-47911.html CVE-2025-47911 https://bugzilla.suse.com/1251308 SUSE Bug 1251308 unknown CVE-2025-58190 SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1 SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1 openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20254482-1/ https://www.suse.com/security/cve/CVE-2025-58190.html CVE-2025-58190 https://bugzilla.suse.com/1251309 SUSE Bug 1251309 An open redirect vulnerability has been identified in Grafana OSS that can be exploited to achieve XSS attacks. The vulnerability was introduced in Grafana v11.5.0. The open redirect can be chained with path traversal vulnerabilities to achieve XSS. Fixed in versions 12.0.2+security-01, 11.6.3+security-01, 11.5.6+security-01, 11.4.6+security-01 and 11.3.8+security-01 CVE-2025-6023 SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1 SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1 openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20254482-1/ https://www.suse.com/security/cve/CVE-2025-6023.html CVE-2025-6023 https://bugzilla.suse.com/1246735 SUSE Bug 1246735 An open redirect vulnerability has been identified in Grafana OSS organization switching functionality. Prerequisites for exploitation: - Multiple organizations must exist in the Grafana instance - Victim must be on a different organization than the one specified in the URL CVE-2025-6197 SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1 SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1 openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20254482-1/ https://www.suse.com/security/cve/CVE-2025-6197.html CVE-2025-6197 https://bugzilla.suse.com/1246736 SUSE Bug 1246736 OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA v1.4.0 to v1.11.0 ( openfga-0.1.34 <= Helm chart <= openfga-0.2.48, v.1.4.0 <= docker <= v.1.11.0) are vulnerable to improper policy enforcement when certain Check and ListObject calls are executed. This issue has been patched in version 1.11.1. CVE-2025-64751 SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.10-150200.3.80.1 SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.10-150200.3.80.1 openSUSE Leap 15.6:grafana-11.5.10-150200.3.80.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20254482-1/ https://www.suse.com/security/cve/CVE-2025-64751.html CVE-2025-64751 https://bugzilla.suse.com/1254112 SUSE Bug 1254112