Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 18 Jun 2025 17:46:29 GMT
From:      Fernando =?utf-8?Q?Apestegu=C3=ADa?= <fernape@FreeBSD.org>
To:        ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org
Subject:   git: 49fd60e6a263 - main - security/vuxml: Add grafana vulnerability
Message-ID:  <202506181746.55IHkTSR073345@gitrepo.freebsd.org>
index | next in thread | raw e-mail 

The branch main has been updated by fernape:

URL: https://cgit.FreeBSD.org/ports/commit/?id=49fd60e6a263da25cbfc6b32f060cd2050bc21bd

commit 49fd60e6a263da25cbfc6b32f060cd2050bc21bd
Author:     Boris Korzun <drtr0jan@yandex.ru>
AuthorDate: 2025-06-18 17:45:19 +0000
Commit:     Fernando ApesteguĂ­a <fernape@FreeBSD.org>
CommitDate: 2025-06-18 17:45:19 +0000

    security/vuxml: Add grafana vulnerability
    
    While here, correct versions for a previous grafana entry.
    
    PR:             287634
    Reported by:    Boris Korzun <drtr0jan@yandex.ru>
---
 security/vuxml/vuln/2025.xml | 118 ++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 116 insertions(+), 2 deletions(-)

diff --git a/security/vuxml/vuln/2025.xml b/security/vuxml/vuln/2025.xml
index c59348b27dc0..5ebc716f5bb8 100644
--- a/security/vuxml/vuln/2025.xml
+++ b/security/vuxml/vuln/2025.xml
@@ -1,3 +1,103 @@
+  <vuln vid="6548cb01-4c33-11f0-8a97-6c3be5272acd">
+    <topic>Grafana -- DingDing contact points exposed in Grafana Alerting</topic>
+    <affects>
+      <package>
+	<name>grafana</name>
+	<range><lt>10.4.19+security-01</lt></range>
+	<range><ge>11.0.0</ge><lt>11.2.10+security-01</lt></range>
+	<range><ge>11.3.0</ge><lt>11.3.7+security-01</lt></range>
+	<range><ge>11.4.0</ge><lt>11.4.5+security-01</lt></range>
+	<range><ge>11.5.0</ge><lt>11.5.5+security-01</lt></range>
+	<range><ge>11.6.0</ge><lt>11.6.2+security-01</lt></range>
+	<range><ge>12.0.0</ge><lt>12.0.1+security-01</lt></range>
+      </package>
+      <package>
+	<name>grafana8</name>
+	<range><ge>8.0.0</ge></range>
+      </package>
+      <package>
+	<name>grafana9</name>
+	<range><ge>9.0.0</ge></range>
+      </package>
+    </affects>
+    <description>
+	<body xmlns="http://www.w3.org/1999/xhtml">;
+	<p>Grafana Labs reports:</p>
+	<blockquote cite="https://grafana.com/blog/2025/06/13/grafana-security-update-medium-severity-security-release-for-cve-2025-3415/">;
+	  <p>An incident occurred where the DingDing alerting integration URL
+	  was inadvertently exposed to viewers due to a setting oversight,
+	  which we learned about through a <a href="https://grafana.com/blog/2023/05/04/introducing-the-grafana-labs-bug-bounty-program/">bug bounty report</a>.</p>
+	  <p>The CVSS 3.0 score for this vulnerability is 4.3 (Medium).</p>
+	</blockquote>
+	</body>
+    </description>
+    <references>
+      <cvename>CVE-2025-3415</cvename>
+      <url>https://grafana.com/blog/2025/06/13/grafana-security-update-medium-severity-security-release-for-cve-2025-3415/</url>;
+    </references>
+    <dates>
+      <discovery>2025-04-05</discovery>
+      <entry>2025-06-18</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="ee046f5d-37a8-11f0-baaa-6c3be5272acd">
+    <topic>Grafana -- User deletion issue</topic>
+    <affects>
+      <package>
+	<name>grafana</name>
+	<range><ge>5.4.0</ge><lt>10.4.18+security-01</lt></range>
+	<range><ge>11.0.0</ge><lt>11.2.9+security-01</lt></range>
+	<range><ge>11.3.0</ge><lt>11.3.6+security-01</lt></range>
+	<range><ge>11.4.0</ge><lt>11.4.4+security-01</lt></range>
+	<range><ge>11.5.0</ge><lt>11.5.4+security-01</lt></range>
+	<range><ge>11.6.0</ge><lt>11.6.1+security-01</lt></range>
+	<range><ge>12.0.0</ge><lt>12.0.0+security-01</lt></range>
+      </package>
+      <package>
+	<name>grafana8</name>
+	<range><ge>8.0.0</ge></range>
+      </package>
+      <package>
+	<name>grafana9</name>
+	<range><ge>9.0.0</ge></range>
+      </package>
+    </affects>
+    <description>
+	<body xmlns="http://www.w3.org/1999/xhtml">;
+	<p>Grafana Labs reports:</p>
+	<blockquote cite="https://grafana.com/blog/2025/05/23/grafana-security-release-medium-and-high-severity-security-fixes-for-cve-2025-4123-and-cve-2025-3580/">;
+	  <p>On April 15, we discovered a vulnerability that stems from the user
+	  deletion logic associated with organization administrators.
+	  An organization admin could remove any user from the specific
+	  organization they manage. Additionally, they have the power to delete
+	  users entirely from the system if they have no other org membership.
+	  This leads to two situations:</p>
+	  <ol>
+	    <li>They can delete a server admin if the organization
+	    the Organization Admin manages is the server admin’s final
+	    organizational membership.</li>
+	    <li>They can delete any user (regardless of whether they are a server
+	    admin or not) if that user currently belongs to no organizations.</li>
+	  </ol>
+	  <p>These two situations allow an organization manager to disrupt
+	  instance-wide activity by continually deleting server administrators
+	  if there is only one organization or if the server administrators are
+	  not part of any organization.</p>
+	  <p>The CVSS score for this vulnerability is 5.5 Medium.</p>
+	</blockquote>
+	</body>
+    </description>
+    <references>
+      <cvename>CVE-2025-3580</cvename>
+      <url>https://grafana.com/blog/2025/05/23/grafana-security-release-medium-and-high-severity-security-fixes-for-cve-2025-4123-and-cve-2025-3580/</url>;
+    </references>
+    <dates>
+      <discovery>2025-04-15</discovery>
+      <entry>2025-05-23</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="b704d4b8-4b87-11f0-9605-b42e991fc52e">
     <topic>Firefox -- Multiple vulnerabilities</topic>
     <affects>
@@ -1225,7 +1325,21 @@
     <affects>
       <package>
 	<name>grafana</name>
-	<range><lt>12.0.1</lt></range>
+	<range><ge>8.0.0</ge><lt>10.4.18+security-01</lt></range>
+	<range><ge>11.0.0</ge><lt>11.2.9+security-01</lt></range>
+	<range><ge>11.3.0</ge><lt>11.3.6+security-01</lt></range>
+	<range><ge>11.4.0</ge><lt>11.4.4+security-01</lt></range>
+	<range><ge>11.5.0</ge><lt>11.5.4+security-01</lt></range>
+	<range><ge>11.6.0</ge><lt>11.6.1+security-01</lt></range>
+	<range><ge>12.0.0</ge><lt>12.0.0+security-01</lt></range>
+      </package>
+      <package>
+	<name>grafana8</name>
+	<range><ge>8.0.0</ge></range>
+      </package>
+      <package>
+	<name>grafana9</name>
+	<range><ge>9.0.0</ge></range>
       </package>
     </affects>
     <description>
@@ -1251,7 +1365,7 @@
       <url>https://nvd.nist.gov/vuln/detail/CVE-2025-4123</url>;
     </references>
     <dates>
-      <discovery>2025-05-22</discovery>
+      <discovery>2025-04-26</discovery>
       <entry>2025-05-27</entry>
     </dates>
   </vuln>
home | help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202506181746.55IHkTSR073345>