CVE-2025-3260

描述

A security vulnerability in the /apis/dashboard.grafana.app/* endpoints allows authenticated users to bypass dashboard and folder permissions. The vulnerability affects all API versions (v0alpha1, v1alpha1, v2alpha1). Impact: - Viewers can view all dashboards/folders regardless of permissions - Editors can view/edit/delete all dashboards/folders regardless of permissions - Editors can create dashboards in any folder regardless of permissions - Anonymous users with viewer/editor roles are similarly affected Organization isolation boundaries remain intact. The vulnerability only affects dashboard access and does not grant access to datasources.

受影響套件(3)

• Bitnami/grafana>= 11.6.0, < 11.6.1
• Go/github.com/grafana/grafana>= 0.0.0-20250114093457-36d6fad421fb, < 0.0.0-20250521183405-c7a690348df7
• Go/github.com/grafana/grafana>= 0.0.0-20250114093457-36d6fad421fb

CVSS 分數

參考連結(7)

• ADVISORYhttps://github.com/advisories/GHSA-3px7-c4j3-576r
• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-3260
• PATCHhttps://github.com/grafana/grafana
• WEBhttps://github.com/grafana/grafana/blob/be8d153dc33734caba4f617ff571d18253e68fa0/CHANGELOG.md#1161-2025-04-23
• WEBhttps://grafana.com/blog/2025/04/22/grafana-security-release-medium-and-high-severity-fixes-for-cve-2025-3260-cve-2025-2703-cve-2025-3454
• WEBhttps://grafana.com/security/security-advisories/CVE-2025-3260
• WEBhttps://grafana.com/security/security-advisories/CVE-2025-3260/