SB20260325198 - SUSE update for grafana

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB20260325198

SB20260325198 - SUSE update for grafana

Published: March 25, 2026

Security Bulletin ID SB20260325198
Severity
Medium
Patch available
YES
Number of vulnerabilities 5
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 60% Low 40%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 5 secuirty vulnerabilities.


1) Information disclosure (CVE-ID: CVE-2025-3415)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the Grafana Alerting DingDing integration is not properly protected. A remote user can gain unauthorized access to sensitive information on the system.


2) Uncontrolled recursion (CVE-ID: CVE-2025-68156)

The vulnerability allows a remote attacker to perform a denial of service attack.

The vulnerability exists due to uncontrolled recursion within the flatten, min, max, mean, and median function. A remote attacker can pass specially crafted input to the application and perform a denial of service attack. 


3) Resource management error (CVE-ID: CVE-2026-21720)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources within the application when caching avatars from the Gravatar service API. If such a request times out after 3 seconds a Goroutine is left running consuming system resources.


4) Improper privilege management (CVE-ID: CVE-2026-21721)

The vulnerability allows a remote user to escalate privileges within the application.

The vulnerability exists due to improper privilege management when displaying visualization panels. A remote user can view panels they have no access to.


5) Improper access control (CVE-ID: CVE-2026-21722)

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to the application does not limit their annotation timerange to the locked timerange of the public dashboard with annotations enabled. A remote attacker can read the entire history of annotations visible on the specific dashboard, even those outside the locked timerange.


Remediation

Install update from vendor's website.

References