CVE-2025-3415
Grafana's insecure DingDing Alert integration exposes sensitive information in github.com/grafana/grafana
4.3
MEDIUM
CVSS 3.1
EPSS 0.44%
Description
Grafana is an open-source platform for monitoring and observability. The Grafana Alerting DingDing integration was not properly protected and could be exposed to users with Viewer permission. Fixed in versions 10.4.19+security-01, 11.2.10+security-01, 11.3.7+security-01, 11.4.5+security-01, 11.5.5+security-01, 11.6.2+security-01 and 12.0.1+security-01
How to fix CVE-2025-3415
To remediate CVE-2025-3415, upgrade the affected package to a fixed version below.
- —upgrade to 10.4.19 or later
- —upgrade to 1.9.2-0.20250514160932-04111e9f2afd or later
- —no fix listed
Is CVE-2025-3415 being exploited?
Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- >= 10.4.0, < 10.4.19, >= 11.2.0, < 11.6.2, >= 12.0.0, < 12.0.1
- from 0, < 1.9.2-0.20250514160932-04111e9f2afd
- from 0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |