openSUSE 16 Security Update : grafana (openSUSE-SU-2026:21351-1)

medium Nessus Plugin ID 327226

Language:

Synopsis

The remote openSUSE host is missing one or more security updates.

Description

The remote openSUSE 16 host has a package installed that is affected by multiple vulnerabilities as referenced in the openSUSE-SU-2026:21351-1 advisory.

Changes in grafana:

- Add UI web assets as additional source tarball

- Update to version 12.4.5 (jsc#PED-16512):
* Datasources: return 400 when payload UID does not match URL UID in PUT /api/datasources/uid/:uid

- Update to version 12.4.4:
* Security and quality updates.
* Various bug fixes and enhancements.

- Update to version 12.4.3:
* Analytics: Keep internal dashboard id.
* Go: Update to 1.25.9.
* Reporting: Correctly apply appSubURL to report settings requests.
* Alerting: Document Grafana HA Alertmanager cluster metrics prefix change.

- Update to version 12.4.2:
* Various bug fixes and performance improvements.
* Dependency updates to core plugins and UI libraries.

- Update to version 12.4.1:
* Bug fixes and minor quality-of-life enhancements.
* Updates to data source provisioning and dashboard schemas.

- Update to version 12.4.0:
* Introduced dynamic dashboards in public preview.
* Added a new side toolbar that replaces the second top toolbar to provide additional vertical space.
* Added the ability to create dashboards from templates using sample data.
* Revamped the gauge visualization with rounded bars, configurable bar thickness, and endpoint markers.
* Added support to map one variable to multiple values.
* CVE-2025-12141: Fixed information leakage in Grafana Alerting (bsc#1262187)

- Update to version 12.3.0:
* Released a completely redesigned logs visualization.
* Added the ability to export dashboards directly as PNG images.
* Introduced an interactive learning experience within the Grafana UI.
* Added a Switch template variable type to quickly toggle between values in queries.
* Added functionality to style table cells using CSS properties via the field cell option.

- Update to version 12.2.0:
* Routine feature enhancements, minor bug fixes, and security patches.

- Update to version 12.1.0:
* Added support for Entra Workload Identity to enhance authentication capabilities with federated credentials.
* Redesigned the alert rule list page.
* Renamed Mute Timings to Active Time Intervals in Grafana Alerting.
* Added support for Service Account Impersonation in the BigQuery data source.
* Introduced the Grafana Advisor in public preview.

- Update to version 12.0.0:
* BREAKING: Removed AngularJS and all deprecated UI Extensions APIs.
* BREAKING: Enforced stricter version compatibility checks in plugin CLI install commands.
* BREAKING: Enabled the failWrongDSUID feature flag by default, which rejects data sources with incorrect UIDs.
* MIGRATION: Triggered a full-table rewrite for the annotation table, which may temporarily increase disk usage.
* Introduced a new dashboard schema to replace the original single grid layout.

- CVE-2026-41607: Fix potential information disclosure in Apache Thrift (bsc#1263272)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected grafana package.

See Also

https://bugzilla.suse.com/1262187

https://bugzilla.suse.com/1263272

https://www.suse.com/security/cve/CVE-2025-12141

https://www.suse.com/security/cve/CVE-2026-21725

https://www.suse.com/security/cve/CVE-2026-41607

Plugin Details

Severity: Medium

ID: 327226

File Name: openSUSE-2026-21351-1.nasl

Version: 1.1

Type: Local

Agent: unix

Published: 7/16/2026

Updated: 7/16/2026

Supported Sensors: Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Tenable Cloud Security, Tenable Self-Hosted Container Security, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.3

Percentile: 53.64

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:N/A:N

CVSS Score Source: CVE-2025-12141

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: Medium

Base Score: 5.3

Threat Score: 1.3

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

Vulnerability Information

CPE: cpe:/o:novell:opensuse:16.0, p-cpe:/a:novell:opensuse:grafana

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 7/14/2026

Vulnerability Publication Date: 2/25/2026

Reference Information

CVE: CVE-2025-12141, CVE-2026-21725, CVE-2026-41607

IAVB: 2026-B-0079-S