CVSS: 5.0EPSS: 0%CPEs: 12EXPL: 0CVE-2025-3454 – openSUSE Security Advisory - openSUSE-SU-2025:15052-1
https://notcve.org/view.php?id=CVE-2025-3454
20 May 2025 — This vulnerability in Grafana's datasource proxy API allows authorization checks to be bypassed by adding an extra slash character in the URL path. Users with minimal permissions could gain unauthorized read access to GET endpoints in Alertmanager and Prometheus datasources. The issue primarily affects datasources that implement route-specific permissions, including Alertmanager and certain Prometheus-based datasources. These are all security issues fixed in the grafana-11.5.4-1.1 package on the GA media of... • https://grafana.com/security/security-advisories/cve-2025-3454 • CWE-285: Improper Authorization •
CVSS: 4.4EPSS: 0%CPEs: 4EXPL: 0CVE-2024-6322
https://notcve.org/view.php?id=CVE-2024-6322
20 Aug 2024 — Access control for plugin data sources protected by the ReqActions json field of the plugin.json is bypassed if the user or service account is granted associated access to any other data source, as the ReqActions check was not scoped to each specific datasource. The account must have prior query access to the impacted datasource. • https://grafana.com/security/security-advisories/cve-2024-6322 • CWE-266: Incorrect Privilege Assignment •