Detections
Analytics

TencentOS Server 4: grafana (TSSA-2025:0596)

low Nessus Plugin ID 249979

Synopsis

The remote TencentOS Server 4 host is missing one or more security updates.

Description

The version of Tencent Linux installed on the remote TencentOS Server 4 host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the TSSA-2025:0596 advisory.

 Package updates are available for TencentOS Server 4 that fix the following vulnerabilities:

 CVE-2025-1088:
 An access control vulnerability was discovered in Grafana OSS where an Organization administrator could permanently delete the Server administrator account. This vulnerability exists in the DELETE /api/org/users/ endpoint.

 The vulnerability can be exploited when:

 1. An Organization administrator exists

 2. The Server administrator is either:

 - Not part of any organization, or
 - Part of the same organization as the Organization administrator Impact:

 - Organization administrators can permanently delete Server administrator accounts

 - If the only Server administrator is deleted, the Grafana instance becomes unmanageable

 - No super-user permissions remain in the system

 - Affects all users, organizations, and teams managed in the instance

 The vulnerability is particularly serious as it can lead to a complete loss of administrative control over the Grafana instance.

 CVE-2024-10452:
 Grafana is an open-source platform for monitoring and observability. The Grafana Alerting DingDing integration was not properly protected and could be exposed to users with Viewer permission.
 Fixed in versions 10.4.19+security-01, 11.2.10+security-01, 11.3.7+security-01, 11.4.5+security-01, 11.5.5+security-01, 11.6.2+security-01 and 12.0.1+security-01

 CVE-2025-3580:
 In Grafana, an excessively long dashboard title or panel name will cause Chromium browsers to become unresponsive due to Improper Input Validation vulnerability in Grafana.
 This issue affects Grafana: before 11.6.2 and is fixed in 11.6.2 and higher.

 CVE-2025-3415:
 Organization admins can delete pending invites created in an organization they are not part of.

Tenable has extracted the preceding description block directly from the Tencent Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://mirrors.tencent.com/tlinux/errata/tssa-20250596.xml

Plugin Details

Severity: Low

ID: 249979

File Name: tencentos_TSSA_2025_0596.nasl

Version: 1.2

Type: local

Published: 8/15/2025

Updated: 12/4/2025

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.2

CVSS v2

Risk Factor: Low

Base Score: 3.3

Temporal Score: 2.4

Vector: CVSS2#AV:N/AC:L/Au:M/C:N/I:P/A:N

CVSS Score Source: CVE-2024-10452

CVSS v3

Risk Factor: Low

Base Score: 2.7

Temporal Score: 2.4

Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: Low

Base Score: 2.1

Threat Score: 0.5

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Vulnerability Information

CPE: p-cpe:/a:tencent:tencentos_server:grafana, cpe:/o:tencent:tencentos_server:4

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/etc/os-release, Host/TencentOS/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 8/12/2025

Vulnerability Publication Date: 8/12/2025

Reference Information

CVE: CVE-2024-10452, CVE-2025-1088, CVE-2025-3415, CVE-2025-3580