CVE-2024-11741

Aliases:GHSA-wxcc-2f3q-4h58BIT-grafana-2024-11741GO-2025-3438

Advisory lineage Upstream: 0 Downstream: 8

Downstream

OPENSUSE-SU-2025:14724-1 OPENSUSE-SU-2025:14732-1 SUSE-SU-2025:01985-1 SUSE-SU-2025:0429-1 SUSE-SU-2025:0622-1 SUSE-SU-2025:0623-1

Deferred

Published: 31 Jan 2025, 15:12

Last modified:09 May 2025, 20:03

Vulnerability Summary

Overall Risk (default)

low

17/100

CVSS Score

4.3 MEDIUM

v3.1 (cve.org)

EPSS Score

0.1% LOW

0% probability -0.04%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

31 Jan 2025, 15:12

Published

Vulnerability first disclosed

09 May 2025, 20:03

Last Modified

Vulnerability information updated

Description

Grafana is an open-source platform for monitoring and observability. The Grafana Alerting VictorOps integration was not properly protected and could be exposed to users with Viewer permission. Fixed in versions 11.5.0, 11.4.1, 11.3.3, 11.2.6, 11.1.11, 11.0.11 and 10.4.15

CVSS Metrics

v3.1•MEDIUM•Score: 4.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

EPSS Trends

Current EPSS score: 0.10%• Percentile: 28%

Techniques & Countermeasures

CWE-200•Exposure of Sensitive Information to an Unauthorized Actor
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Affected Systems

github.com/grafana•grafana
≥ 11.4.0, < 11.4.1 | ≥ 11.3.0, < 11.3.3 | ≥ 11.2.0, < 11.2.6 | ≥ 11.1.0, < 11.1.11 | ≥ 11.0.0, < 11.0.11 | ≥ 1.9.2, < 10.4.15 | < 0.0.0-20250129224826-70073427041e | ≥ 0.0.0, < 1.9.2-0.20250129224826-70073427041e | all
grafana•grafana
≥ 11.4.0, < 11.4.1 | ≥ 11.3.0, < 11.3.3 | ≥ 11.2.0, < 11.2.6 | ≥ 11.1.0, < 11.1.11 | ≥ 10.4.0, < 10.4.15