Detections
Analytics

TencentOS Server 4: grafana (TSSA-2025:0596)

high Nessus Plugin ID 249979

Synopsis

The remote TencentOS Server 4 host is missing one or more security updates.

Description

The version of Tencent Linux installed on the remote TencentOS Server 4 host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the TSSA-2025:0596 advisory.

 Package updates are available for TencentOS Server 4 that fix the following vulnerabilities:

 CVE-2025-1088:
 An access control vulnerability was discovered in Grafana OSS where an Organization administrator could permanently delete the Server administrator account. This vulnerability exists in the DELETE /api/org/users/ endpoint.

 The vulnerability can be exploited when:

 1. An Organization administrator exists

 2. The Server administrator is either:

 - Not part of any organization, or
 - Part of the same organization as the Organization administrator Impact:

 - Organization administrators can permanently delete Server administrator accounts

 - If the only Server administrator is deleted, the Grafana instance becomes unmanageable

 - No super-user permissions remain in the system

 - Affects all users, organizations, and teams managed in the instance

 The vulnerability is particularly serious as it can lead to a complete loss of administrative control over the Grafana instance.

 CVE-2024-10452:
 Grafana is an open-source platform for monitoring and observability. The Grafana Alerting DingDing integration was not properly protected and could be exposed to users with Viewer permission.
 Fixed in versions 10.4.19+security-01, 11.2.10+security-01, 11.3.7+security-01, 11.4.5+security-01, 11.5.5+security-01, 11.6.2+security-01 and 12.0.1+security-01

 CVE-2025-3580:
 In Grafana, an excessively long dashboard title or panel name will cause Chromium browsers to become unresponsive due to Improper Input Validation vulnerability in Grafana.
 This issue affects Grafana: before 11.6.2 and is fixed in 11.6.2 and higher.

 CVE-2025-3415:
 Organization admins can delete pending invites created in an organization they are not part of.

Tenable has extracted the preceding description block directly from the Tencent Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://mirrors.tencent.com/tlinux/errata/tssa-20250596.xml

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1088

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-10452

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-3580

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-3415

Plugin Details

Severity: High

ID: 249979

File Name: tencentos_TSSA_2025_0596.nasl

Version: 1.1

Type: local

Published: 8/15/2025

Updated: 8/15/2025

Supported Sensors: Nessus

Vulnerability Information

CPE: p-cpe:/a:tencent:tencentos_server:grafana, cpe:/o:tencent:tencentos_server:4

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/etc/os-release, Host/TencentOS/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 8/12/2025

Vulnerability Publication Date: 8/12/2025