Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN249

_____________________________________________________________________

DATE                : 23/04/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Grafana versions prior to
                     11.6.0+security-01, 11.5.3+security-01, 
                     11.4.3+security-01, 11.3.5+security-01,
                     11.2.8+security-01, 10.4.17+security-01.

=====================================================================
https://grafana.com/blog/2025/04/22/grafana-security-release-medium-and-high-severity-fixes-for-cve-2025-3260-cve-2025-2703-cve-2025-3454/
_____________________________________________________________________

Grafana security release: Medium and high severity fixes for
CVE-2025-3260, CVE-2025-2703, CVE-2025-3454

Grafana Labs Team
• 2025-04-22 • 6 min

Today we are releasing security patches for Grafana 11.6.0, 11.5.3,
11.4.3, 11.3.5, 11.2.8, and 10.4.17. These patch releases include
a high severity fix for CVE-2025-3260 and medium severity fixes
for CVE-2025-2703 and CVE-2025-3454.

    Download Grafana 11.6.0+security-01
    Download Grafana 11.5.3+security-01
    Download Grafana 11.4.3+security-01
    Download Grafana 11.3.5+security-01
    Download Grafana 11.2.8+security-01
    Download Grafana 10.4.17+security-01

If you are currently running Grafana OSS or Grafana Enterprise,
please update to one of the above security releases to address
all the vulnerabilities described below. While all of these
releases are patched, we generally recommend that you choose
the one that corresponds to your current version or branch
(for example, 11.4.x, 11.5.x, and so on).

Appropriate patches have been applied to Grafana Cloud and as
always, we closely coordinated with all cloud providers
licensed to offer Grafana Cloud Pro. They have received early
notification under embargo and confirmed that their offerings
are secure at the time of this announcement. This is
applicable to Amazon Managed Grafana and Azure Managed Grafana.


Bypass Viewer and Editor permissions (CVE-2025-3260)
Summary

During the development of a new feature in Grafana 11.6.x, a
security vulnerability was introduced that allows for Viewers
and Editors to bypass dashboard-specific permissions. As a
result, users with the Viewer role could view all the
dashboards within their org and users with the Editor role
could view, edit, and delete all the dashboards in their org. 

Note: Organization isolation boundaries still apply, which
means viewers and editors in one organization cannot view or
edit dashboards in another org. Also this vulnerability does
not allow users to query data via data sources they don’t
have access to.

The CVSS score for this vulnerability is 8.3 HIGH.
Impact

In developing the new /apis/dashboard.grafana.app/* endpoints
for Grafana 11.6.x, a security vulnerability was introduced
that allows Viewers and Editors to bypass permissions for
dashboards and folders. As a result: 

    Users with the Viewer role can view all the dashboards
within their org, even if they don’t have permissions to
view those dashboards.
    Users with the Editor role can view, edit, or delete all
the dashboards within their org, even if they don’t have
permissions to view, edit, or delete those dashboards.

The vulnerability also applies to instances with anonymous
authentication. 

    When anonymous authentication is configured with a
Viewer role, anonymous users will be able to view all
dashboards. 
    When anonymous authentication is configured with an
Editor role, anonymous users will be able to create,
edit, or delete all dashboards.

Impacted versions

>= Grafana 11.6.0


Solutions and mitigations

To fully address CVE-2025-3260, please upgrade your Grafana
instances.
_____________________________________________________________________
The alternative is to put network policies in place that would block
all inbound traffic to 

    /apis/dashboard.grafana.app/v0alpha1
    /apis/dashboard.grafana.app/v1alpha1
    /apis/dashboard.grafana.app/v2alpha1

Note: Because Grafana is capable of issuing requests via data sources,
the data source proxy, and various other features, these policies
must be robust enough to block requests coming from localhost.

Timeline and post-incident review

Here is a detailed incident timeline starting from when we originally
introduced the issue. All times are in UTC.

    2025-01-15 Faulty dashboard permission evaluation logic is
introduced in Grafana.
    2025-02-21 Another faulty dashboard permission evaluation logic
is introduced in Grafana. 
    2025-04-04 4:21 - Internal incident declared. 
    2025-04-04 9:06 - CVE-2025-3260 reserved.
    2025-04-04 9:21 - We introduced a patch for Grafana Cloud.
    2025-04-04 23:11 - We concluded that no one exploited the
vulnerability in Grafana Cloud. 
    2025-04-08 8:14 - Private release.
    2025-04-22 20:00 - Public release.
    2025-04-23 01:00 - Blog post published. 


DOM XSS vulnerability (CVE-2025-2703)
Summary

An external security researcher responsibly reported a security
vulnerability in Grafana’s built-in XY chart plugin that is
vulnerable to a DOM XSS vulnerability. 

The CVSS score for this vulnerability is 6.8 MEDIUM.

Impact

A Grafana user with Editor permissions or
`fixed:library.panels:general.writer` RBAC permissions can edit
an XY chart panel to include an XSS payload, which will execute
arbitrary JavaScript upon render. Due to the nature of the XSS,
the current Content Security Policy is not effective in stopping
the JavaScript from executing.

Impacted versions

>= Grafana 11.1.0
Solutions and mitigations

To fully address CVE-2025-2703, please upgrade your Grafana
instances.

As an alternative for Grafana OSS and Grafana Enterprise, you
can enable Trusted Types. 

Trusted Types is an extension for the Content Security Policy
that will effectively mitigate DOM XSS vulnerabilities from
being exploited by preventing the injection of untrusted data
into critical DOM sinks such as innerHTML, eval, new function(),
and similar APIs, which were the culprit for this vulnerability.

Note: Trusted Types is an experimental feature and if enabled,
it will impact your entire Grafana instance. To learn more,
refer to our Trusted Types announcement blog post and enablement
documentation. 

Timeline and post-incident review

Here is a detailed incident timeline starting from when we
originally introduced the issue. All times are in UTC.

    2025-03-14 13:03 - Initial email sent to security@grafana.com
    2025-03-21 11:35 - Grafana Labs Security Team responds with
confirmation.
    2025-04-04 10:32 - Fixes merged and backported.
    2025-04-07 23:54 - Private release.
    2025-04-22 20:00 - Public release.
    2025-04-23 01:00 - Blog published.


Authorization bypass in data source proxy API (CVE-2025-3454)
Summary

This vulnerability, which was discovered while reviewing a pull
request from an external contributor, effects Grafana’s data
source proxy API and allows authorization checks to be bypassed
by adding an extra slash character (/) in the URL path. Among
Grafana-maintained data sources, the vulnerability only affects
the read paths of Prometheus (all flavors) and Alertmanager
when configured with basic authorization.

The CVSS score for this vulnerability is 5.0 MEDIUM.

Impact

Grafana users could gain unauthorized read access to GET endpoints
in Alertmanager and Prometheus data sources, despite their assigned
roles and permissions. In addition to Alertmanager and certain
Prometheus-based data sources, the vulnerability primarily affects
data sources that implement route-specific permissions and use
basic authorization to access the data source

Impacted versions

>= Grafana 8.0

Grafana instances running versions between Grafana 8.x and Grafana
10.4.x should upgrade to Grafana 10.4.17+security-01.

Solutions and mitigations

To fully address CVE-2025-3454, please upgrade your Grafana
instances.

As an alternative, you can use a reverse proxy that can sanitize
the URL before sending data to Grafana.

Timeline and post-incident review

Here is a detailed incident timeline starting from when we
originally introduced the issue. All times are in UTC.

    2021-04-14 - The faulty permission evaluation logic is
introduced into Grafana.
    2025-03-25 21:20 UTC - During an internal review of related
code changes, the vulnerability is discovered and an incident
is declared.
    2025-03-26 18:05 - The impact is identified in Grafana 8.0+.
    2025-03-27 15:34 UTC - The fix for vulnerability is opened.
    2025-04-01 15:43 UTC - The fix and all backports are merged.
    2025-04-08 20:30 UTC - CVE is assigned.
    2025-04-08 16:48 UTC - Private release.
    2025-04-22 20:00 UTC - Public release.
    2025-04-23 01:00 UTC - Blog post published.

Reporting security issues

If you think you have found a security vulnerability, please
go to our Report a security issue page to learn how to send
a security report.

Grafana Labs will send you a response indicating the next steps
in handling your report. After the initial reply to your report,
the security team will keep you informed of the progress
towards a fix and full announcement, and may ask for additional
information or guidance.

Important: We ask you to not disclose the vulnerability before
it has been fixed and announced, unless you received a response
from the Grafana Labs security team that you can do so.

Security announcements

We maintain a security category on our blog, where we will always
post a summary, remediation, and mitigation details for any patch
containing security fixes. You can also subscribe to our RSS feed.

=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================