Grafana is an open-source platform for monitoring and observability. The Grafana Alerting VictorOps integration was not properly protected and could be exposed to users with Viewer permission. Fixed in versions 11.5.0, 11.4.1, 11.3.3, 11.2.6, 11.1.11, 11.0.11 and 10.4.15

According to its self-reported version, the Grafana install hosted on the remote host is earlier than 10.4.15, or earlier than 11.0.11, or earlier than 11.1.11, or earlier than 11.2.6, or earlier than 11.3.3, or earlier than 11.4.1. It is, therefore, affected by a exposure of sensitive information to an unauthorized actor vulnerability.

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / openSUSE 15 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2025:0623-1 advisory.

    grafana was updated from version 10.4.13 to 10.4.15:

    - Security issues fixed:
        * CVE-2024-45339: Fixed vulnerability when creating log files (bsc#1236559)
        * CVE-2024-11741: Fixed the Grafana Alerting VictorOps integration (bsc#1236734)
        * CVE-2025-21613: Removed vulnerable library github.com/go-git/go-git/v5 (bsc#1235574)
        * CVE-2024-28180: Fixed improper handling of highly compressed data (bsc#1235206)
    - Other bugs fixed and changes:
        * Alerting: Do not fetch Orgs if the user is authenticated by apikey/sa or render key
        * Added provisioning directories
        * Use /bin/bash in wrapper scripts

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / openSUSE 15 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2025:0429-1 advisory.

    - Update to version 0.0.20250207T224745 2025-02-07T22:47:45Z.
      Refs jsc#PED-11136       Go CVE Numbering Authority IDs added or updated with aliases:
      * GO-2025-3456 CVE-2025-24786 GHSA-9r4c-jwx3-3j76
      * GO-2025-3457 CVE-2025-24787 GHSA-c7w4-9wv8-7x7c
      * GO-2025-3458 CVE-2025-24366 GHSA-vj7w-3m8c-6vpx

    - Update to version 0.0.20250206T175003 2025-02-06T17:50:03Z.
      Refs jsc#PED-11136       Go CVE Numbering Authority IDs added or updated with aliases:
      * GO-2023-1867 CVE-2022-47930 GHSA-c58h-qv6g-fw74
      * GO-2024-3244 CVE-2024-50354 GHSA-cph5-3pgr-c82g

    - Update to version 0.0.20250206T165438 2025-02-06T16:54:38Z.
      Refs jsc#PED-11136       Go CVE Numbering Authority IDs added or updated with aliases:
      * GO-2025-3428 CVE-2025-22867
      * GO-2025-3447 CVE-2025-22866

    - Update to version 0.0.20250205T232745 2025-02-05T23:27:45Z.
      Refs jsc#PED-11136       Go CVE Numbering Authority IDs added or updated with aliases:
      * GO-2025-3408
      * GO-2025-3448 GHSA-23qp-3c2m-xx6w
      * GO-2025-3449 GHSA-mx2j-7cmv-353c
      * GO-2025-3450 GHSA-w7wm-2425-7p2h
      * GO-2025-3454 GHSA-mj4v-hp69-27x5
      * GO-2025-3455 GHSA-vqv5-385r-2hf8

    - Update to version 0.0.20250205T003520 2025-02-05T00:35:20Z.
      Refs jsc#PED-11136       Go CVE Numbering Authority IDs added or updated with aliases:
      * GO-2025-3451

    - Update to version 0.0.20250204T220613 2025-02-04T22:06:13Z.
      Refs jsc#PED-11136       Go CVE Numbering Authority IDs added or updated with aliases:
      * GO-2025-3431 CVE-2025-24884 GHSA-hcr5-wv4p-h2g2
      * GO-2025-3433 CVE-2025-23216 GHSA-47g2-qmh2-749v
      * GO-2025-3434 CVE-2025-24376 GHSA-fc89-jghx-8pvg
      * GO-2025-3435 CVE-2025-24784 GHSA-756x-m4mj-q96c
      * GO-2025-3436 CVE-2025-24883 GHSA-q26p-9cq4-7fc2
      * GO-2025-3437 GHSA-274v-mgcv-cm8j
      * GO-2025-3438 CVE-2024-11741 GHSA-wxcc-2f3q-4h58
      * GO-2025-3442 CVE-2025-24371 GHSA-22qq-3xwm-r5x4
      * GO-2025-3443 GHSA-r3r4-g7hq-pq4f
      * GO-2025-3444 CVE-2024-35177
      * GO-2025-3445 CVE-2024-47770

    - Use standard RPM macros to unpack the source and populate a       working directory. Fixes build with RPM 4.20.

    - Update to version 0.0.20250130T185858 2025-01-30T18:58:58Z.
      Refs jsc#PED-11136       Go CVE Numbering Authority IDs added or updated with aliases:
      * GO-2024-2842 CVE-2024-3727 GHSA-6wvf-f2vw-3425
      * GO-2024-3181 CVE-2024-9313 GHSA-x5q3-c8rm-w787
      * GO-2024-3188 CVE-2024-9312 GHSA-4gfw-wf7c-w6g2
      * GO-2025-3372 CVE-2024-45339 GHSA-6wxm-mpqj-6jpf
      * GO-2025-3373 CVE-2024-45341
      * GO-2025-3383 CVE-2024-45340
      * GO-2025-3408
      * GO-2025-3412 CVE-2024-10846 GHSA-36gq-35j3-p9r9
      * GO-2025-3420 CVE-2024-45336
      * GO-2025-3421 CVE-2025-22865
      * GO-2025-3424 CVE-2025-24369
      * GO-2025-3426 CVE-2025-0750 GHSA-hp5j-2585-qx6g
      * GO-2025-3427 CVE-2024-13484 GHSA-58fx-7v9q-3g56

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Grafana Labs installed on the remote host is prior to 10.4.15, 11.0.11, 11.1.11, 11.2.6, 11.3.3, or 11.4.1, 11.5.0. It is, therefore, affected by a vulnerability as referenced in the cve-2024-11741 advisory.

  - Grafana is an open-source platform for monitoring and observability. The Grafana Alerting VictorOps     integration was not properly protected and could be exposed to users with Viewer permission. Fixed in     versions 11.5.0, 11.4.1, 11.3.3, 11.2.6, 11.1.11, 11.0.11 and 10.4.15 (CVE-2024-11741)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
114827	Grafana < 11.4.1 Exposure Of Sensitive Information To An Unauthorized Actor	Web App Scanning	Component Vulnerability	medium
114826	Grafana < 11.3.3 Exposure Of Sensitive Information To An Unauthorized Actor	Web App Scanning	Component Vulnerability	medium
114825	Grafana < 11.2.6 Exposure Of Sensitive Information To An Unauthorized Actor	Web App Scanning	Component Vulnerability	medium
114824	Grafana < 11.1.11 Exposure Of Sensitive Information To An Unauthorized Actor	Web App Scanning	Component Vulnerability	medium
114823	Grafana < 11.0.11 Exposure Of Sensitive Information To An Unauthorized Actor	Web App Scanning	Component Vulnerability	medium
114822	Grafana < 10.4.15 Exposure Of Sensitive Information To An Unauthorized Actor	Web App Scanning	Component Vulnerability	medium
216639	SUSE SLES15 / openSUSE 15 Security Update : grafana (SUSE-SU-2025:0623-1)	Nessus	SuSE Local Security Checks	critical
216199	SUSE SLES15 / openSUSE 15 Security Update : govulncheck-vulndb (SUSE-SU-2025:0429-1)	Nessus	SuSE Local Security Checks	high
215000	Grafana Labs 10.4.x < 10.4.15 / 11.0.x < 11.0.11 / 11.1.x < 11.1.11 / 11.2.x < 11.2.6 / 11.3.x < 11.3.3 / 11.4.x < 11.4.1, 11.5.0 (cve-2024-11741)	Nessus	Web Servers	medium

Detections

Analytics

CVE-2024-11741

medium

Tenable Plugins

medium

medium

medium

medium

medium

medium

critical

high

medium