Search criteria
3 vulnerabilities by Grafana Labs
CVE-2025-41116 (GCVE-0-2025-41116)
Vulnerability from cvelistv5 – Published: 2025-11-11 20:18 – Updated: 2025-11-19 17:52
VLAI?
Summary
When using the Grafana Databricks Datasource Plugin,
if Oauth passthrough is enabled on the datasource, and multiple users are using the same datasource at the same time on a single Grafana instance, it could result in
the wrong user identifier being used, and information for which the viewer is not authorized being returned.
This issue affects Grafana Databricks Datasource Plugin: from 1.6.0 before 1.12.0
Severity ?
CWE
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Grafana Labs | Grafana Databricks Datasource Plugin |
Affected:
1.6.0 , < 1.12.1
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-41116",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-12T21:44:41.624004Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T21:45:13.287Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Grafana Databricks Datasource Plugin",
"vendor": "Grafana Labs",
"versions": [
{
"lessThan": "1.12.1",
"status": "affected",
"version": "1.6.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eWhen using the Grafana Databricks Datasource Plugin,\u003cbr\u003eif Oauth passthrough is enabled on the datasource, and multiple users are using the same datasource at the same time on a single Grafana instance, it\u0026nbsp; could result in\u0026nbsp;\u003c/div\u003e\u003cdiv\u003ethe wrong user identifier being used, and information for which the viewer is not authorized being returned.\u0026nbsp;\u003c/div\u003e\u003cp\u003eThis issue affects Grafana Databricks Datasource Plugin: from 1.6.0 before 1.12.0\u0026nbsp;\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "When using the Grafana Databricks Datasource Plugin,\nif Oauth passthrough is enabled on the datasource, and multiple users are using the same datasource at the same time on a single Grafana instance, it\u00a0 could result in\u00a0\n\nthe wrong user identifier being used, and information for which the viewer is not authorized being returned.\u00a0\n\nThis issue affects Grafana Databricks Datasource Plugin: from 1.6.0 before 1.12.0"
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.1,
"baseSeverity": "LOW",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-653",
"description": "CWE-653",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-19T17:52:50.180Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"url": "https://grafana.com/security/security-advisories/cve-2025-41116/"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Incorrect oauth passthrough in Grafana Databricks Datasource",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2025-41116",
"datePublished": "2025-11-11T20:18:07.602Z",
"dateReserved": "2025-04-16T09:19:26.443Z",
"dateUpdated": "2025-11-19T17:52:50.180Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-3717 (GCVE-0-2025-3717)
Vulnerability from cvelistv5 – Published: 2025-11-11 20:17 – Updated: 2025-11-12 21:46
VLAI?
Summary
When using the Grafana Snowflake Datasource Plugin,
if Oauth passthrough is enabled on the datasource, and multiple users are using the same datasource at the same time on a single Grafana instance, it could result in
the wrong user identifier being used, and information for which the viewer is not authorized being returned.
This issue affects Grafana Snowflake Datasource Plugin: from 1.5.0 before 1.14.1.
Severity ?
CWE
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Grafana Labs | Grafana Snowflake Datasource Plugin |
Affected:
1.5.0 , < 1.14.1
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3717",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-12T21:46:02.961565Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T21:46:15.867Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Grafana Snowflake Datasource Plugin",
"vendor": "Grafana Labs",
"versions": [
{
"lessThan": "1.14.1",
"status": "affected",
"version": "1.5.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eWhen using the Grafana Snowflake Datasource Plugin,\u003cbr\u003eif Oauth passthrough is enabled on the datasource, and multiple users are using the same datasource at the same time on a single Grafana instance, it\u0026nbsp; could result in\u0026nbsp;\u003c/div\u003e\u003cdiv\u003ethe wrong user identifier being used, and information for which the viewer is not authorized being returned.\u0026nbsp;\u003c/div\u003e\u003cp\u003eThis issue affects Grafana Snowflake Datasource Plugin: from 1.5.0 before 1.14.1.\u003c/p\u003e"
}
],
"value": "When using the Grafana Snowflake Datasource Plugin,\nif Oauth passthrough is enabled on the datasource, and multiple users are using the same datasource at the same time on a single Grafana instance, it\u00a0 could result in\u00a0\n\nthe wrong user identifier being used, and information for which the viewer is not authorized being returned.\u00a0\n\nThis issue affects Grafana Snowflake Datasource Plugin: from 1.5.0 before 1.14.1."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.1,
"baseSeverity": "LOW",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-653",
"description": "CWE-653",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-11T20:17:48.364Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"url": "https://grafana.com/security/security-advisories/cve-2025-3717/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Incorrect oauth passthrough in Grafana Snowflake Datasource",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2025-3717",
"datePublished": "2025-11-11T20:17:48.364Z",
"dateReserved": "2025-04-16T08:56:42.388Z",
"dateUpdated": "2025-11-12T21:46:15.867Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-9476 (GCVE-0-2024-9476)
Vulnerability from cvelistv5 – Published: 2024-11-13 16:30 – Updated: 2025-11-23 15:33
VLAI?
Summary
A vulnerability in Grafana Labs Grafana OSS and Enterprise allows Privilege Escalation allows users to gain access to resources from other organizations within the same Grafana instance via the Grafana Cloud Migration Assistant.This vulnerability will only affect users who utilize the Organizations feature to isolate resources on their Grafana instance.
Severity ?
CWE
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Grafana Labs | Grafana OSS and Enterprise |
Affected:
11.3.0 , < 11.3.0+security-01
(semver)
Affected: 11.2.0 , < 11.2.3+security-01 (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-9476",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-14T15:54:30.628886Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-21T16:13:24.654Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Grafana OSS and Enterprise",
"vendor": "Grafana Labs",
"versions": [
{
"lessThan": "11.3.0+security-01",
"status": "affected",
"version": "11.3.0",
"versionType": "semver"
},
{
"lessThan": "11.2.3+security-01",
"status": "affected",
"version": "11.2.0",
"versionType": "semver"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The feature toggle\u0026nbsp;\u003ctt\u003e\u003ccode\u003eonPremToCloudMigrations\u003c/code\u003e\u003c/tt\u003e must be enabled for this vulnerability to be activated. \u003cbr\u003eSee \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://grafana.com/docs/grafana-cloud/account-management/migration-guide/\"\u003ehttps://grafana.com/docs/grafana-cloud/account-management/migration-guide/\u003c/a\u003e for more details\u003cbr\u003e"
}
],
"value": "The feature toggle\u00a0onPremToCloudMigrations must be enabled for this vulnerability to be activated. \nSee https://grafana.com/docs/grafana-cloud/account-management/migration-guide/ for more details"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A vulnerability in Grafana Labs Grafana OSS and Enterprise allows Privilege Escalation allows users to gain access to resources from other organizations within the same Grafana instance via the Grafana Cloud Migration Assistant.\u003cdiv\u003e\u003cdiv\u003eThis vulnerability will only affect users who utilize the Organizations feature to isolate resources on their Grafana instance.\u003c/div\u003e\u003c/div\u003e"
}
],
"value": "A vulnerability in Grafana Labs Grafana OSS and Enterprise allows Privilege Escalation allows users to gain access to resources from other organizations within the same Grafana instance via the Grafana Cloud Migration Assistant.This vulnerability will only affect users who utilize the Organizations feature to isolate resources on their Grafana instance."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "CWE-266",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-23T15:33:38.284Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://grafana.com/security/security-advisories/cve-2024-9476/"
},
{
"url": "https://grafana.com/blog/2024/11/12/grafana-security-release-medium-severity-security-fix-for-cve-2024-9476/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Privilege escalation vulnerability for Organizations in Grafana",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2024-9476",
"datePublished": "2024-11-13T16:30:54.581Z",
"dateReserved": "2024-10-03T12:58:42.842Z",
"dateUpdated": "2025-11-23T15:33:38.284Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}