{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-3415", "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "state": "PUBLISHED", "assignerShortName": "GRAFANA", "dateReserved": "2025-04-07T14:28:18.797Z", "datePublished": "2025-07-17T10:13:14.717Z", "dateUpdated": "2025-07-17T14:05:19.284Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Grafana", "vendor": "Grafana", "versions": [{"lessThan": "10.4.19+security-01", "status": "affected", "version": "10.4.x", "versionType": "semver"}, {"lessThan": "11.2.10+security-01", "status": "affected", "version": "11.2.x", "versionType": "semver"}, {"lessThan": "11.3.7+security-01", "status": "affected", "version": "11.3.x", "versionType": "semver"}, {"lessThan": "11.4.5+security-01", "status": "affected", "version": "11.4.x", "versionType": "semver"}, {"lessThan": "11.5.5+security-01", "status": "affected", "version": "11.5.x", "versionType": "semver"}, {"lessThan": "11.6.2+security-01", "status": "affected", "version": "11.6.x", "versionType": "semver"}, {"lessThan": "12.0.1+security-01", "status": "affected", "version": "12.0.x", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Saurabh Banawar"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Grafana is an open-source platform for monitoring and observability. The Grafana Alerting DingDing integration was not properly protected and could be exposed to users with Viewer permission. <br>Fixed in versions 10.4.19+security-01, 11.2.10+security-01, 11.3.7+security-01, 11.4.5+security-01, 11.5.5+security-01, 11.6.2+security-01 and 12.0.1+security-01"}], "value": "Grafana is an open-source platform for monitoring and observability. The Grafana Alerting DingDing integration was not properly protected and could be exposed to users with Viewer permission. \nFixed in versions 10.4.19+security-01, 11.2.10+security-01, 11.3.7+security-01, 11.4.5+security-01, 11.5.5+security-01, 11.6.2+security-01 and 12.0.1+security-01"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"other": {"content": {"Automatable": "No", "Exploitation": "None", "Technical Impact": "None", "Value Density": "Diffused"}, "type": "SSVCv2.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "shortName": "GRAFANA", "dateUpdated": "2025-07-17T10:30:00.918Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://grafana.com/security/security-advisories/cve-2025-3415"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-17T14:05:03.257904Z", "id": "CVE-2025-3415", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-17T14:05:19.284Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-3415", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-07-17T14:05:03.257904Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-17T14:05:09.376Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Saurabh Banawar"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"other": {"type": "SSVCv2.0", "content": {"Automatable": "No", "Exploitation": "None", "Value Density": "Diffused", "Technical Impact": "None"}}}], "affected": [{"vendor": "Grafana", "product": "Grafana", "versions": [{"status": "affected", "version": "10.4.x", "lessThan": "10.4.19+security-01", "versionType": "semver"}, {"status": "affected", "version": "11.2.x", "lessThan": "11.2.10+security-01", "versionType": "semver"}, {"status": "affected", "version": "11.3.x", "lessThan": "11.3.7+security-01", "versionType": "semver"}, {"status": "affected", "version": "11.4.x", "lessThan": "11.4.5+security-01", "versionType": "semver"}, {"status": "affected", "version": "11.5.x", "lessThan": "11.5.5+security-01", "versionType": "semver"}, {"status": "affected", "version": "11.6.x", "lessThan": "11.6.2+security-01", "versionType": "semver"}, {"status": "affected", "version": "12.0.x", "lessThan": "12.0.1+security-01", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://grafana.com/security/security-advisories/cve-2025-3415", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Grafana is an open-source platform for monitoring and observability. The Grafana Alerting DingDing integration was not properly protected and could be exposed to users with Viewer permission. \nFixed in versions 10.4.19+security-01, 11.2.10+security-01, 11.3.7+security-01, 11.4.5+security-01, 11.5.5+security-01, 11.6.2+security-01 and 12.0.1+security-01", "supportingMedia": [{"type": "text/html", "value": "Grafana is an open-source platform for monitoring and observability. The Grafana Alerting DingDing integration was not properly protected and could be exposed to users with Viewer permission. <br>Fixed in versions 10.4.19+security-01, 11.2.10+security-01, 11.3.7+security-01, 11.4.5+security-01, 11.5.5+security-01, 11.6.2+security-01 and 12.0.1+security-01", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "shortName": "GRAFANA", "dateUpdated": "2025-07-17T10:30:00.918Z"}}}, "cveMetadata": {"cveId": "CVE-2025-3415", "state": "PUBLISHED", "dateUpdated": "2025-07-17T14:05:19.284Z", "dateReserved": "2025-04-07T14:28:18.797Z", "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "datePublished": "2025-07-17T10:13:14.717Z", "assignerShortName": "GRAFANA"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Grafana is an open-source platform for monitoring and observability. The Grafana Alerting DingDing integration was not properly protected and could be exposed to users with Viewer permission. \nFixed in versions 10.4.19+security-01, 11.2.10+security-01, 11.3.7+security-01, 11.4.5+security-01, 11.5.5+security-01, 11.6.2+security-01 and 12.0.1+security-01"}], "id": "CVE-2025-3415", "lastModified": "2025-07-17T21:15:50.197", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@grafana.com", "type": "Secondary"}]}, "published": "2025-07-17T11:15:22.240", "references": [{"source": "security@grafana.com", "url": "https://grafana.com/security/security-advisories/cve-2025-3415"}], "sourceIdentifier": "security@grafana.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security@grafana.com", "type": "Secondary"}]}

{"bugzilla": {"description": "grafana: Exposure of DingDing alerting integration URL to Viewer level users", "id": "2374538", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2374538"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-200", "details": ["A flaw exists in Grafana Alerting, where the DingDing contact-point integration URL can be revealed in plain text to users with viewer-level permissions due to misconfigured access control. This disclosure permits unauthorized users to view sensitive webhook URLs, including API tokens or keys, without needing elevated privileges."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2025-3415", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-06-24T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-3415\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-3415"], "statement": "The Grafana development team assessed this as a Medium severity information exposure issue. Viewer-role users can now access sensitive webhook URLs, enabling them to hijack or misuse notifications through the DingDing integration. The underlying cause is weak access control policies that do not restrict configuration data from lower-privileged roles.", "threat_severity": "Moderate"}