Alpine: multiple grafana packages: security update to 11.6.1-r0

high Tenable Self-Hosted Container Security Plugin ID 427783

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- The built-in XY Chart plugin is vulnerable to a DOM XSS vulnerability. A user with Editor permissions is
able to modify such a panel in order to make it execute arbitrary JavaScript. (CVE-2025-2703)

- A security vulnerability in the /apis/dashboard.grafana.app/* endpoints allows authenticated users to
bypass dashboard and folder permissions. The vulnerability affects all API versions (v0alpha1, v1alpha1,
v2alpha1). Impact: - Viewers can view all dashboards/folders regardless of permissions - Editors can
view/edit/delete all dashboards/folders regardless of permissions - Editors can create dashboards in any
folder regardless of permissions - Anonymous users with viewer/editor roles are similarly affected
Organization isolation boundaries remain intact. The vulnerability only affects dashboard access and does
not grant access to datasources. (CVE-2025-3260)

- This vulnerability in Grafana's datasource proxy API allows authorization checks to be bypassed by adding
an extra slash character in the URL path. Users with minimal permissions could gain unauthorized read
access to GET endpoints in Alertmanager and Prometheus datasources. The issue primarily affects
datasources that implement route-specific permissions, including Alertmanager and certain Prometheus-based
datasources. (CVE-2025-3454)

See Also

https://security.alpinelinux.org/vuln/CVE-2025-2703

https://security.alpinelinux.org/vuln/CVE-2025-3260

https://security.alpinelinux.org/vuln/CVE-2025-3454

Plugin Details

Severity: High

ID: 427783

Version: Revision 1.12

Type: Local

Published: 5/30/2025

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.5

Percentile: 57.08

CVSS v2

Risk Factor: High

Base Score: 8.7

Temporal Score: 6.4

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:P

CVSS Score Source: CVE-2025-3260

CVSS v3

Risk Factor: High

Base Score: 8.3

Temporal Score: 7.2

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 4/23/2025

Reference Information

CVE: CVE-2025-2703, CVE-2025-3260, CVE-2025-3454

IAVB: 2025-B-0087-S, 2025-B-0096-S