Data Management and Analytics

In Grafana versions from 10.4.18+security-01 before 10.4.19, from 11.2.9+security-01 before 11.2.10, from 11.3.6+security-01 before 11.3.7, from 11.4.4+security-01 before 11.4.5, from 11.5.4+security-01 before 11.5.5, from 11.6.1+security-01 before 11.6.2 and from 12.0.0+security-01 before 12.0.1 a high severity vulnerability CVE-2025-4123 was detected. This vulnerability lets attackers redirect users to malicious sites executing JavaScript without editor rights, can cause SSRF with the Image Renderer plugin. To address this issue, users should upgrade Grafana to versions 10.4.18+security-01, 11.2.9+security-01, 11.3.6+security-01, 11.4.4+security-01, 11.5.4+security-01, 11.6.1+security-01 and 12.0.0+security-01. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-4123.

In Pgpool-II versions 4.0 and 4.1 series, 4.2.0 to 4.2.21, 4.3.0 to 4.3.14, 4.4.0 to 4.4.11, 4.5.0 to 4.5.6 and 4.6.0 a critical severity vulnerability CVE-2025-46801 was detected. This vulnerability allows attackers to bypass authentication and log in as arbitrary users, enabling them to read, modify, or disable data in the connected database. To address this issue, users should upgrade Pgpool-II to versions 4.6.1, 4.5.7, 4.4.12, 4.3.15, 4.2.22 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-46801.

In Apache Superset versions through 4.1.1 a medium severity vulnerability CVE-2025-27696 was detected. This vulnerability allows authenticated users with read permissions to take ownership of dashboards, charts, or datasets. To address this issue, users should upgrade Apache Superset to versions 4.1.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-27696.

In PostgreSQL versions before 17.5, 16.9, 15.13, 14.18 and 13.21 a medium severity vulnerability CVE-2025-4207 was detected. This vulnerability allows a database input provider to trigger a temporary denial of service by exploiting a buffer over-read in GB18030 encoding validation, potentially causing process termination on affected platforms and impacting both the database server and libpq. To address this issue, users should upgrade PostgreSQL to versions 17.5, 16.9, 15.13, 14.18 or 13.21. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-4207.

In Kibana versions 8.3.0 to 8.17.5, 8.18.0 and 9.0.0 a critical severity vulnerability CVE-2025-25014 was detected. This vulnerability allows attackers to achieve arbitrary code execution through prototype pollution by sending crafted HTTP requests to machine learning and reporting endpoints. To address this issue, users should upgrade Kibana to versions 8.17.6, 8.18.1 or 9.0.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-25014.

In Logstash versions prior to 8.17.6, 8.18.0 and 9.0.0 a medium severity vulnerability CVE-2025-37730 was detected. This vulnerability allows attackers to perform man-in-the-middle (MitM) attacks in “client” mode due to improper certificate validation – specifically, the lack of hostname verification when `ssl_verification_mode => full` was set in the TCP output configuration. To address this issue, users should upgrade Logstash to versions 8.17.6, 8.18.1 or 9.0.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-37730.

In Grafana versions prior to 10.4.17+security-0 a medium severity vulnerability CVE-2025-3454 was detected. This vulnerability allows attackers to bypass authorization checks by inserting an extra slash in the datasource proxy API path, enabling unauthorized read access to GET endpoints in Alertmanager and Prometheus datasources. To address this issue, users should upgrade Grafana to versions 10.4.17+security-01, 11.2.8+security-01, 11.3.5+security-01, 11.4.3+security-01, 11.5.3+security-01, 11.6.0+security-01 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-3454.

In Grafana versions 0alpha1, 1alpha1 and 2alpha1 a high severity vulnerability was detected in the /apis/dashboard.grafana.app/* endpoints across all API versions. This vulnerability allows authenticated and anonymous users with viewer or editor roles to bypass dashboard and folder-level permissions, enabling unrestricted access, modification, and creation of dashboards across all folders, while organization isolation and datasource access remain unaffected. Currently, there is no fix version for this vulnerability. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-3260.

In Elasticsearch versions prior to 7.17.25 and prior to 8.16.0 a medium severity vulnerability CVE-2024-52979 was detected. This vulnerability allows attackers to trigger uncontrolled resource consumption by submitting specially crafted search templates using Mustache functions, potentially leading to a Denial of Service by crashing the Elasticsearch node. To address this issue, users should upgrade Elasticsearch to versions 7.17.25 or 8.16.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-52979.