SB20260325198 - SUSE update for grafana
Published: March 25, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 5 vulnerabilities.
1) Information disclosure (CVE-ID: CVE-2025-3415)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to the Grafana Alerting DingDing integration is not properly protected. A remote user can gain unauthorized access to sensitive information on the system.
2) Uncontrolled recursion (CVE-ID: CVE-2025-68156)
CWE-ID: CWE-674 - Uncontrolled Recursion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform a denial of service attack.
The vulnerability exists due to uncontrolled recursion within the flatten, min, max, mean, and median function. A remote attacker can pass specially crafted input to the application and perform a denial of service attack.
3) Resource management error (CVE-ID: CVE-2026-21720)
CWE-ID: CWE-399 - Resource Management Errors
CVSSv4: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper management of internal resources within the application when caching avatars from the Gravatar service API. If such a request times out after 3 seconds a Goroutine is left running consuming system resources.
4) Improper privilege management (CVE-ID: CVE-2026-21721)
CWE-ID: CWE-269 - Improper Privilege Management
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Clear
The vulnerability allows a remote user to escalate privileges within the application.
The vulnerability exists due to improper privilege management when displaying visualization panels. A remote user can view panels they have no access to.
5) Improper access control (CVE-ID: CVE-2026-21722)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to the application does not limit their annotation timerange to the locked timerange of the public dashboard with annotations enabled. A remote attacker can read the entire history of annotations visible on the specific dashboard, even those outside the locked timerange.
Remediation
Install update from vendor's website.