Security update for grafana

Announcement ID:	SUSE-SU-2025:4482-1
Release Date:	2025-12-18T12:22:32Z
Rating:	important
References:	bsc#1245302 bsc#1246735 bsc#1246736 bsc#1250616 bsc#1251454 bsc#1251657 bsc#1254113 jsc#MSQA-1034 jsc#PED-14178
Cross-References:	CVE-2025-11065 CVE-2025-3415 CVE-2025-47911 CVE-2025-58190 CVE-2025-6023 CVE-2025-6197 CVE-2025-64751
CVSS scores:	CVE-2025-11065 ( SUSE ): 5.7 CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVE-2025-11065 ( SUSE ): 4.5 CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N CVE-2025-3415 ( SUSE ): 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVE-2025-3415 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2025-3415 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2025-47911 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVE-2025-47911 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2025-58190 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVE-2025-58190 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2025-6023 ( SUSE ): 7.2 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N CVE-2025-6023 ( SUSE ): 7.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L CVE-2025-6023 ( NVD ): 7.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L CVE-2025-6197 ( SUSE ): 2.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N CVE-2025-6197 ( SUSE ): 4.2 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N CVE-2025-6197 ( NVD ): 4.2 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N CVE-2025-64751 ( SUSE ): 5.3 CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N CVE-2025-64751 ( SUSE ): 8.2 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N CVE-2025-64751 ( NVD ): 5.8 CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Affected Products:	openSUSE Leap 15.6 SUSE Linux Enterprise Desktop 15 SP6 SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise Real Time 15 SP6 SUSE Linux Enterprise Real Time 15 SP7 SUSE Linux Enterprise Server 15 SP6 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP6 SUSE Linux Enterprise Server for SAP Applications 15 SP7 SUSE Package Hub 15 15-SP6 SUSE Package Hub 15 15-SP7

An update that solves seven vulnerabilities and contains two features can now be installed.

Description:

This update for grafana fixes the following issues:

grafana was updated from version 11.5.5 to 11.5.10:

• Security issues fixed:

• CVE-2025-64751: Dropped experimental implementation of authorization Zanzana server/client (version 11.5.10) (bsc#1254113)

• CVE-2025-47911: Fixed parsing HTML documents (version 11.5.10) (bsc#1251454)
• CVE-2025-58190: Fixed excessive memory consumption (version 11.5.10) (bsc#1251657)
• CVE-2025-11065: Fixed sensitive information leak in logs (version 11.5.9) (bsc#1250616)
• CVE-2025-6023: Fixed cross-site-scripting via scripted dashboards (version 11.5.7) (bsc#1246735)
• CVE-2025-6197: Fixed open redirect in organization switching (version 11.5.7) (bsc#1246736)

• CVE-2025-3415: Fixed exposure of DingDing alerting integration URL to Viewer level users (version 11.5.6) (bsc#1245302)

• Other changes, new features and bugs fixed:

• Version 11.5.10:

  • Use forked wire from Grafana repository instead of external package (jsc#PED-14178)
  • Auth: Fix render user OAuth passthrough.
  • LDAP Authentication: Fix URL to propagate username context as parameter.
  • Plugins: Dependencies do not inherit parent URL for preinstall.

• Version 11.5.9:

  • Auditing: Document new options for recording datasource query request/response body.
  • Login: Fixed redirection after login when Grafana is served from subpath.

• Version 11.5.7:

  • Azure: Fixed legend formatting and resource name determination in template variable queries.

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• openSUSE Leap 15.6
  zypper in -t patch openSUSE-SLE-15.6-2025-4482=1
• SUSE Package Hub 15 15-SP6
  zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP6-2025-4482=1
• SUSE Package Hub 15 15-SP7
  zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP7-2025-4482=1

Package List:

• openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64)
  • grafana-debuginfo-11.5.10-150200.3.80.1
  • grafana-11.5.10-150200.3.80.1
• SUSE Package Hub 15 15-SP6 (aarch64 ppc64le s390x x86_64)
  • grafana-debuginfo-11.5.10-150200.3.80.1
  • grafana-11.5.10-150200.3.80.1
• SUSE Package Hub 15 15-SP7 (aarch64 ppc64le s390x x86_64)
  • grafana-debuginfo-11.5.10-150200.3.80.1
  • grafana-11.5.10-150200.3.80.1

References:

• https://www.suse.com/security/cve/CVE-2025-11065.html
• https://www.suse.com/security/cve/CVE-2025-3415.html
• https://www.suse.com/security/cve/CVE-2025-47911.html
• https://www.suse.com/security/cve/CVE-2025-58190.html
• https://www.suse.com/security/cve/CVE-2025-6023.html
• https://www.suse.com/security/cve/CVE-2025-6197.html
• https://www.suse.com/security/cve/CVE-2025-64751.html
• https://bugzilla.suse.com/show_bug.cgi?id=1245302
• https://bugzilla.suse.com/show_bug.cgi?id=1246735
• https://bugzilla.suse.com/show_bug.cgi?id=1246736
• https://bugzilla.suse.com/show_bug.cgi?id=1250616
• https://bugzilla.suse.com/show_bug.cgi?id=1251454
• https://bugzilla.suse.com/show_bug.cgi?id=1251657
• https://bugzilla.suse.com/show_bug.cgi?id=1254113
• https://jira.suse.com/browse/MSQA-1034
• https://jira.suse.com/browse/PED-14178