FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

Grafana -- Authorization bypass in data source proxy API

Affected packages
8.0.0 <= grafana < 10.4.17+security-01
11.0.0 <= grafana < 11.2.8+security-01
11.3.0 <= grafana < 11.3.5+security-01
11.4.0 <= grafana < 11.4.3+security-01
11.5.0 <= grafana < 11.5.3+security-01
11.6.0 <= grafana < 11.6.0+security-01
8.0.0 <= grafana8
9.0.0 <= grafana9

Details

VuXML ID 310f5923-211c-11f0-8ca6-6c3be5272acd
Discovery 2025-03-25
Entry 2025-04-24

Grafana Labs reports:

This vulnerability, which was discovered while reviewing a pull request from an external contributor, effects Grafana’s data source proxy API and allows authorization checks to be bypassed by adding an extra slash character (/) in the URL path. Among Grafana-maintained data sources, the vulnerability only affects the read paths of Prometheus (all flavors) and Alertmanager when configured with basic authorization.

The CVSS score for this vulnerability is 5.0 MEDIUM.

[source]

References

CVE Name CVE-2025-3454
URL https://grafana.com/blog/2025/04/22/grafana-security-release-medium-and-high-severity-fixes-for-cve-2025-3260-cve-2025-2703-cve-2025-3454/

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.