Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN412
_____________________________________________________________________

DATE                : 03/07/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Grafana Image Renderer version
                               prior to 3.12.9,
          Grafana Synthetic Monitoring Agent versions prior to 0.38.3.

=====================================================================
https://grafana.com/blog/2025/07/02/grafana-security-update-critical-severity-security-release-for-cve-2025-5959-cve-2025-6554-cve-2025-6191-and-cve-2025-6192-in-grafana-image-renderer-plugin-and-synthetic-monitoring-agent/
_____________________________________________________________________

Grafana security update: Critical severity security release for
CVE-2025-5959, CVE-2025-6554, CVE-2025-6191 and CVE-2025-6192 in
Grafana Image Renderer plugin and Synthetic Monitoring Agent

Simon Crute
• 2025-07-02 •

We have released updates for the Grafana Image Renderer plugin and
Synthetic Monitoring Agent to address four critical impact
vulnerabilities ( CVE-2025-5959, CVE-2025-6554, CVE-2025-6191,
and CVE-2025-6192) found in Chromium, a third-party library.
Chromium, a downstream project of the Google Chrome browser, had
vulnerabilities that could allowed remote code execution.

Users who operate the Grafana Image Renderer plugin or have a local
installation of the Synthetic Monitoring Agent are advised to update
their systems. If you are running Grafana Image Renderer < 3.12.9 or
the Synthetic Monitoring Agent < 0.38.3 you should update as soon as
possible.

Appropriate patches have been applied to Grafana Cloud. As always,
we closely coordinated with all cloud providers licensed to offer
Grafana Cloud Pro. They have been notified and have confirmed that
their offerings are secure at the time of this announcement. This
is applicable to Azure Managed Grafana.

Using the CVSS 3.1 methodology, we have rated this CVE as a critical
vulnerability for the Grafana operating environment. As of today,
NIST has not yet assigned a score to any of these CVEs, but you
can view the status of the CVE in the National Vulnerability
Database.


Solutions and mitigations 

To remediate this vulnerability, follow the instructions below for
your products.


Grafana Image Renderer 

Minimum version: 3.12.9

Plugin install: grafana-cli plugins install grafana-image-renderer

Container install: docker pull grafana/grafana-image-renderer:3.12.9

Container URL: https://hub.docker.com/layers/grafana/grafana-image-renderer/3.12.9/images/sha256-8603027604d5c332ddecac614e156791d1157b234f7966485d1f4c97346a3dd7 

Documentation: https://grafana.com/grafana/plugins/grafana-image-renderer/


Grafana Synthetic Monitoring Agent

Minimum version: 0.38.3

Package download: https://github.com/grafana/synthetic-monitoring-agent/releases/tag/v0.38.3 

Container install: docker pull grafana/synthetic-monitoring-agent:v0.38.3-browser

Container URL: https://hub.docker.com/layers/grafana/synthetic-monitoring-agent/v0.38.3-browser/images/sha256-3e370e303e6728d0c06ea95cf9765c789ff47c975ca197a517097f8fc1c090aa 

Documentation: https://grafana.com/docs/grafana-cloud/testing/synthetic-monitoring/set-up/set-up-private-probes/


Timeline and post-incident review

Here is a detailed incident timeline starting from when we
originally introduced the issue. All times are in UTC.

    2025/06/11 -   Google publish CVE-2025-5959 
    2025/06/18 - 23:58  Bug Bounty report submitted 
    2025/06/18 -           Google publish CVE-2025-6191
    2025/06/18 -           Google publish CVE-2025-6192
    2025/06/19 - 08:37  Bug bounty accepted and received 
    2025/06/19 - 08:56  Updated image renderer published to Github (3.12.8)
    2025/06/19 - 09:38  Updated image renderer deployed to Grafana Cloud 
    2025/06/19 - 16:35  Updates applied to K6 suite deployed to Grafana Cloud
    2025/06/24 - 14:21 Updated Synthetic Monitoring agent released (0.38.1)
    2025/06/30 -            Google publish CVE-2025-6554
    2025/07/01 - 13:08 Freshly Updated Image Render plugin published to GitHub (3.12.9)
    2025/07/01 - 13:49 Updated image renderer deployed to Grafana Cloud
    2025/07/01 - 16:12 Updated applied to K6 suit deployed to Grafana Cloud
    2025/07/02 - 09:41  Updated Synthetic Monitoring agent released (0.38.3)
    2025/07/02 - 18:00 Blog post published


Acknowledgements

We would like to thank Alex Chapman, who reported the original
exploitability of CVE-2025-959 through our bug bounty program.


Reporting security issues

If you think you have found a security vulnerability, please go
to our Report a security issue page to learn how to send a
security report.

Grafana Labs will send you a response indicating the next steps
in handling your report. After the initial reply to your report,
the security team will keep you informed of the progress towards
a fix and full announcement, and may ask for additional
information or guidance.

Important: We ask you to not disclose the vulnerability before
it has been fixed and announced, unless you received a response
from the Grafana Labs security team that you can do so.

You can also read more about our bug bounty program and find
out who has made our Security Hall of Fame.


Security announcements

We maintain a security category on our blog, where we will
always post a summary, remediation, and mitigation details
for any patch containing security fixes. You can also
subscribe to our RSS feed.


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================