SUSE SLES15 / openSUSE 15 Security Update : grafana (SUSE-SU-2026:1037-1)

high Nessus Plugin ID 303789

Synopsis

The remote SUSE host is missing one or more security updates.

Description

The remote SUSE Linux SLES15 / openSUSE 15 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:1037-1 advisory.

- Security issues fixed:

- CVE-2026-21722: Public dashboards annotations: use dashboard timerange if time selection disabled (bsc#1258136)
- CVE-2026-21721: Fixed access control by the dashboard permissions API (bsc#1257337)
- CVE-2026-21720: Fixed unauthenticated DoS (bsc#1257349)
- CVE-2025-68156: Fixed potential DoS via unbounded recursion in builtin functions (bsc#1255340)
- CVE-2025-3415: Fixed exposure of DingDing alerting integration URL to Viewer level users (bsc#1245302)

- Version update from 11.5.10 to 11.6.11 with the following highlighted changes and fixes:

- Performance Boost: Introduced WebGL-powered geomaps for smoother map visualizations and removed blurred backgrounds from UI overlays to speed up the interface.
- One-Click Actions: Visualizations now support faster navigation via one-click links and actions.
- Alerting History: Added version history for alert rules, allowing you to track changes over time.
- Service Accounts: Automated the migration of old API keys to more secure Service Accounts upon startup.
- Cron Support: Annotations now support Cron syntax for more flexible scheduling.
- Identity and Auth: Hardened the Avatar feature (now requires sign-in) and fixed several login redirection issues when Grafana is hosted on a subpath.
- Data Source Support: Added support for Cloud Partner Prometheus data sources and improved Azure legend formatting.
- Alerting Limits: Added size limits for expanded notification templates to prevent system strain.
- RBAC: Integrated Role-Based Access Control (RBAC) into the Alertmanager via the reqAction field.
- Data Consistency: Fixed several issues with Graphite and InfluxDB regarding how variables are handled in repeated rows or nested queries.
- Dashboard Reliability: Resolved bugs involving row repeats and 'self-referencing' data links.
- Alerting Fixes: Patched a critical 'panic' (crash) caused by a race condition in alert rules and fixed issues where contact points weren't working correctly.
- URL Handling: Fixed a bug where 'true' values in URL parameters weren't being read correctly

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected grafana package.

Plugin Details

Severity: High

ID: 303789

File Name: suse_SU-2026-1037-1.nasl

Version: 1.1

Type: local

Agent: unix

Family: SuSE Local Security Checks

Published: 3/26/2026

Updated: 3/26/2026

Supported Sensors: Nessus Agent, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.0

CVSS v2

Risk Factor: High

Base Score: 8.5

Temporal Score: 6.7

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:N

CVSS Score Source: CVE-2026-21721

CVSS v3

Risk Factor: High

Base Score: 8.1

Temporal Score: 7.3

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:suse_linux:grafana, cpe:/o:novell:suse_linux:15

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 3/25/2026

Vulnerability Publication Date: 6/18/2025

Reference Information

CVE: CVE-2025-3415, CVE-2025-68156, CVE-2026-21720, CVE-2026-21721, CVE-2026-21722

IAVB: 2025-B-0121-S, 2026-B-0025

SuSE: SUSE-SU-2026:1037-1

Detections

Analytics