Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN831
_____________________________________________________________________

DATE                : 02/12/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Grafana Enterprise versions prior
                           to 12.3, 12.2.1, 12.1.3, 12.0.6.

=====================================================================
https://grafana.com/blog/2025/11/19/grafana-enterprise-security-update-critical-severity-security-fix-for-cve-2025-41115/
_____________________________________________________________________

Grafana Enterprise security update: critical severity security fix
for CVE-2025-41115
Vardan Torosyan

Vardan Torosyan
• 2025-11-19 • 4 min

Updated Nov. 28, 2025: In the timeline, the time reported for
2025-11-04 was corrected from 19:14 UTC to 15:59 UTC.

Along with the release of Grafana Enterprise 12.3, we are releasing
updated versions of Grafana Enterprise 12.2.1, 12.1.3 and 12.0.6, all
of which contain a fix for a critical severity vulnerability
(CVE-2025-41115) discovered in the SCIM (System for Cross-domain
Identity Management). This issue could allow privilege escalation
or user impersonation under certain configurations. 

Grafana Enterprise 12.3.0 latest release with security patch:

    Download Grafana Enterprise 12.3 

Grafana Enterprise 12.2.1 with security patch:

    Download Grafana Enterprise 12.2.1

Grafana Enterprise 12.1.3 with security patch:

    Download Grafana Enterprise 12.1.3

Grafana Enterprise 12.0.6 with security patch:

    Download Grafana Enterprise 12.0.6

Grafana Labs customers received patch versions in advance and
appropriate patches have been applied to Grafana Cloud. As always,
we closely coordinated with all cloud providers licensed to offer
Grafana Cloud Pro. They have received early notification under
embargo and confirmed that their offerings are secure at the time
of this announcement. This is applicable to Amazon Managed
Grafana and Azure Managed Grafana.

Grafana OSS users are not affected by this issue. 


Incorrect privilege assignment (CVE-2025-41115)

Summary

SCIM provisioning was introduced in Grafana Enterprise and Grafana
Cloud in April to improve how organizations manage users and teams
in Grafana by introducing automated user lifecycle management.

In Grafana versions 12.x where SCIM provisioning is enabled and
configured, a vulnerability in user identity handling allows a
malicious or compromised SCIM client to provision a user with a
numeric externalId, which in turn could allow to override internal
user IDs and lead to impersonation or privilege escalation.

This vulnerability applies only if all of the following conditions
are met:

    enableSCIM feature flag set to true (docs on the SCIM provisioning
feature)
    user_sync_enabled config option in the [auth.scim] block set to true

The CVSS score for this vulnerability is 10.0 Critical.
Impact

Grafana maps the SCIM externalId directly to the internal user.uid;
therefore, numeric values (e.g. “1”) may be interpreted as internal
numeric user IDs. 

In specific cases this could allow the newly provisioned user to be 
treated as an existing internal account, such as the Admin, leading
to potential impersonation or privilege escalation.


Impacted versions

The vulnerability impacts Grafana Enterprise running on the following
versions:

    Grafana Enterprise 12.0.0 to 12.2.1

Appropriate patches have been applied to Grafana Cloud.


Solutions and mitigations

If your instance is vulnerable, we strongly recommend upgrading to one
of the patched versions as soon as possible.


Timeline and post-incident review

Here is a detailed incident timeline starting from when we originally
introduced the issue. All times are in UTC.

    2025-11-04 15:59 As part of internal audit and testing, we discovered
that there is a scenario where user IDs can be overwritten when using
SCIM with specific configuration.
    2025-11-04 16:30 Internal incident declared. CVE-2025-41115 reserved.
    2025-11-04 16:45 We concluded that the vulnerability has not been
exploited in Grafana Cloud. Introduced immediate patch.
    2025-11-05 17:52 Private release.
    2025-11-19 10:33 Public release. 
    2025-11-19 19:30 Blog post published.


Reporting security issues

If you think you have found a security vulnerability, please go to our
Report a security issue page to learn how to send a security report.

Grafana Labs will send you a response indicating the next steps in
handling your report. After the initial reply to your report, the
security team will keep you informed of the progress towards a fix
and full announcement, and may ask for additional information or
guidance.

Important: We ask you to not disclose the vulnerability before it has
been fixed and announced, unless you received a response from the
Grafana Labs security team that you can do so.

You can also read more about our bug bounty program and find out who
has made our Security Hall of Fame.


Security announcements

We maintain a security category on our blog, where we will always post
a summary, remediation, and mitigation details for any patch containing
security fixes. You can also subscribe to our RSS feed.


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================