Security update for grafana SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:0624-1 Final 1 1 2025-02-21T11:00:27Z current 2025-02-21T11:00:27Z 2025-02-21T11:00:27Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for grafana This update for grafana fixes the following issues: grafana was updated from version 10.4.13 to 10.4.15: - Security issues fixed: * CVE-2024-45339: Fixed vulnerability when creating log files (bsc#1236559) * CVE-2024-11741: Fixed the Grafana Alerting VictorOps integration (bsc#1236734) * CVE-2025-21613: Removed vulnerable library github.com/go-git/go-git/v5 (bsc#1235574) * CVE-2024-28180: Fixed improper handling of highly compressed data (bsc#1235206) - Other bugs fixed and changes: * Alerting: Do not fetch Orgs if the user is authenticated by apikey/sa or render key * Added provisioning directories * Use /bin/bash in wrapper scripts The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2025-624,SUSE-SLE-Manager-Tools-15-2025-624 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-20250624-1/ Link for SUSE-SU-2025:0624-1 https://lists.suse.com/pipermail/sle-security-updates/2025-February/020387.html E-Mail link for SUSE-SU-2025:0624-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1235206 SUSE Bug 1235206 https://bugzilla.suse.com/1235574 SUSE Bug 1235574 https://bugzilla.suse.com/1236559 SUSE Bug 1236559 https://bugzilla.suse.com/1236734 SUSE Bug 1236734 https://www.suse.com/security/cve/CVE-2024-11741/ SUSE CVE CVE-2024-11741 page https://www.suse.com/security/cve/CVE-2024-28180/ SUSE CVE CVE-2024-28180 page https://www.suse.com/security/cve/CVE-2024-45339/ SUSE CVE CVE-2024-45339 page https://www.suse.com/security/cve/CVE-2025-21613/ SUSE CVE CVE-2025-21613 page SUSE Manager Client Tools 15 grafana-10.4.15-150000.1.71.1 grafana-10.4.15-150000.1.71.1 as a component of SUSE Manager Client Tools 15 Grafana is an open-source platform for monitoring and observability. The Grafana Alerting VictorOps integration was not properly protected and could be exposed to users with Viewer permission. Fixed in versions 11.5.0, 11.4.1, 11.3.3, 11.2.6, 11.1.11, 11.0.11 and 10.4.15 CVE-2024-11741 SUSE Manager Client Tools 15:grafana-10.4.15-150000.1.71.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250624-1/ https://www.suse.com/security/cve/CVE-2024-11741.html CVE-2024-11741 https://bugzilla.suse.com/1236734 SUSE Bug 1236734 Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). This vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3. CVE-2024-28180 SUSE Manager Client Tools 15:grafana-10.4.15-150000.1.71.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250624-1/ https://www.suse.com/security/cve/CVE-2024-28180.html CVE-2024-28180 https://bugzilla.suse.com/1234984 SUSE Bug 1234984 When logs are written to a widely-writable directory (the default), an unprivileged attacker may predict a privileged process's log file path and pre-create a symbolic link to a sensitive file in its place. When that privileged process runs, it will follow the planted symlink and overwrite that sensitive file. To fix that, glog now causes the program to exit (with status code 2) when it finds that the configured log file already exists. CVE-2024-45339 SUSE Manager Client Tools 15:grafana-10.4.15-150000.1.71.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250624-1/ https://www.suse.com/security/cve/CVE-2024-45339.html CVE-2024-45339 https://bugzilla.suse.com/1236541 SUSE Bug 1236541 go-git is a highly extensible git implementation library written in pure Go. An argument injection vulnerability was discovered in go-git versions prior to v5.13. Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags. This only happens when the file transport protocol is being used, as that is the only protocol that shells out to git binaries. This vulnerability is fixed in 5.13.0. CVE-2025-21613 SUSE Manager Client Tools 15:grafana-10.4.15-150000.1.71.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250624-1/ https://www.suse.com/security/cve/CVE-2025-21613.html CVE-2025-21613 https://bugzilla.suse.com/1235572 SUSE Bug 1235572