Security update for grafana

Announcement ID:	SUSE-SU-2025:0622-1
Release Date:	2025-02-21T10:59:57Z
Rating:	important
References:	bsc#1235206 bsc#1235574 bsc#1236559 bsc#1236734
Cross-References:	CVE-2024-11741 CVE-2024-28180 CVE-2024-45339 CVE-2025-21613
CVSS scores:	CVE-2024-11741 ( SUSE ): 2.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVE-2024-11741 ( SUSE ): 3.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2024-11741 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2024-28180 ( SUSE ): 2.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVE-2024-28180 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L CVE-2024-28180 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L CVE-2024-45339 ( SUSE ): 6.9 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N CVE-2024-45339 ( SUSE ): 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H CVE-2024-45339 ( NVD ): 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVE-2025-21613 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2025-21613 ( NVD ): 9.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Clear CVE-2025-21613 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products:	SUSE Linux Enterprise Desktop 12 SUSE Linux Enterprise Desktop 12 SP1 SUSE Linux Enterprise Desktop 12 SP2 SUSE Linux Enterprise Desktop 12 SP3 SUSE Linux Enterprise Desktop 12 SP4 SUSE Linux Enterprise High Performance Computing 12 SP2 SUSE Linux Enterprise High Performance Computing 12 SP3 SUSE Linux Enterprise High Performance Computing 12 SP4 SUSE Linux Enterprise High Performance Computing 12 SP5 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Server 12 SP1 SUSE Linux Enterprise Server 12 SP2 SUSE Linux Enterprise Server 12 SP3 SUSE Linux Enterprise Server 12 SP4 SUSE Linux Enterprise Server 12 SP5 SUSE Linux Enterprise Server for SAP Applications 12 SUSE Linux Enterprise Server for SAP Applications 12 SP1 SUSE Linux Enterprise Server for SAP Applications 12 SP2 SUSE Linux Enterprise Server for SAP Applications 12 SP3 SUSE Linux Enterprise Server for SAP Applications 12 SP4 SUSE Linux Enterprise Server for SAP Applications 12 SP5 SUSE Linux Enterprise Server for the Raspberry Pi 12-SP2 SUSE Manager Client Tools for SLE 12

An update that solves four vulnerabilities can now be installed.

Description:

This update for grafana fixes the following issues:

grafana was updated from version 10.4.13 to 10.4.15:

• Security issues fixed:
  • CVE-2024-45339: Fixed vulnerability when creating log files (bsc#1236559)
  • CVE-2024-11741: Fixed the Grafana Alerting VictorOps integration (bsc#1236734)
  • CVE-2025-21613: Removed vulnerable library github.com/go-git/go-git/v5 (bsc#1235574)
  • CVE-2024-28180: Fixed improper handling of highly compressed data (bsc#1235206)
• Other bugs fixed and changes:
  • Alerting: Do not fetch Orgs if the user is authenticated by apikey/sa or render key
  • Added provisioning directories
  • Use /bin/bash in wrapper scripts

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Manager Client Tools for SLE 12
  zypper in -t patch SUSE-SLE-Manager-Tools-12-2025-622=1

Package List:

• SUSE Manager Client Tools for SLE 12 (aarch64 ppc64le s390x x86_64)
  • grafana-10.4.15-1.71.1

References:

• https://www.suse.com/security/cve/CVE-2024-11741.html
• https://www.suse.com/security/cve/CVE-2024-28180.html
• https://www.suse.com/security/cve/CVE-2024-45339.html
• https://www.suse.com/security/cve/CVE-2025-21613.html
• https://bugzilla.suse.com/show_bug.cgi?id=1235206
• https://bugzilla.suse.com/show_bug.cgi?id=1235574
• https://bugzilla.suse.com/show_bug.cgi?id=1236559
• https://bugzilla.suse.com/show_bug.cgi?id=1236734