Bug 2458704 (CVE-2025-12141)
| Summary: | CVE-2025-12141 Grafana: Grafana: Information disclosure of secure settings via contact point modification | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
| Status: | NEW --- | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | alcohan, amctagga, aoconnor, bniver, flucifre, gmeno, gparvin, groman, jbalunas, lchilton, mbenjamin, mhackett, pahickey, rhaigner, sfeifer, sostapov, vereddy |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A flaw was found in Grafana's alerting system. Users with editor permissions, specifically those able to write or test alert notifications, can modify contact points created by other users. By changing the endpoint URL to a controlled server and triggering the test functionality, an attacker can capture and extract sensitive secure settings, such as authentication credentials for third-party services. This vulnerability leads to unauthorized access and potential compromise of external integrations.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2458890 | ||
| Bug Blocks: | |||
|
Description
OSIDB Bzimport
2026-04-15 16:01:33 UTC
|