{}

{}

{}

{"bugzilla": {"description": "grafana: Exposure of DingDing alerting integration URL to Viewer level users", "id": "2374538", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2374538"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-200", "details": ["A flaw exists in Grafana Alerting, where the DingDing contact-point integration URL can be revealed in plain text to users with viewer-level permissions due to misconfigured access control. This disclosure permits unauthorized users to view sensitive webhook URLs, including API tokens or keys, without needing elevated privileges."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2025-3415", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-06-24T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-3415\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-3415"], "statement": "The Grafana development team assessed this as a Medium severity information exposure issue. Viewer-role users can now access sensitive webhook URLs, enabling them to hijack or misuse notifications through the DingDing integration. The underlying cause is weak access control policies that do not restrict configuration data from lower-privileged roles.", "threat_severity": "Moderate"}