cvelistv5 - cve-2025-3580

CVE-2025-3580 (GCVE-0-2025-3580)

Vulnerability from cvelistv5

Published

2025-05-23 13:44

Modified

2025-07-17 10:28

Severity ?

5.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H

CWE

CWE-284

Summary

An access control vulnerability was discovered in Grafana OSS where an Organization administrator could permanently delete the Server administrator account. This vulnerability exists in the DELETE /api/org/users/ endpoint. The vulnerability can be exploited when: 1. An Organization administrator exists 2. The Server administrator is either: - Not part of any organization, or - Part of the same organization as the Organization administrator Impact: - Organization administrators can permanently delete Server administrator accounts - If the only Server administrator is deleted, the Grafana instance becomes unmanageable - No super-user permissions remain in the system - Affects all users, organizations, and teams managed in the instance The vulnerability is particularly serious as it can lead to a complete loss of administrative control over the Grafana instance.

References

URL

Tags

https://grafana.com/security/security-advisories/cve-2025-3580/

vendor-advisory

Impacted products

	Vendor	Product	Version
	Grafana	Grafana	Version: 12.0.0 ≤ Version: 11.6.1 ≤ Version: 11.5.4 ≤ Version: 11.4.4 ≤ Version: 11.3.6 ≤ Version: 11.2.9 ≤ Version: 10.4.18 ≤

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-3580",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-23T14:04:27.385036Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-23T14:05:09.480Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Grafana",
          "vendor": "Grafana",
          "versions": [
            {
              "lessThan": "12.0.1",
              "status": "affected",
              "version": "12.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "11.6.2",
              "status": "affected",
              "version": "11.6.1",
              "versionType": "semver"
            },
            {
              "lessThan": "11.5.5",
              "status": "affected",
              "version": "11.5.4",
              "versionType": "semver"
            },
            {
              "lessThan": "11.4.5",
              "status": "affected",
              "version": "11.4.4",
              "versionType": "semver"
            },
            {
              "lessThan": "11.3.7",
              "status": "affected",
              "version": "11.3.6",
              "versionType": "semver"
            },
            {
              "lessThan": "11.2.10",
              "status": "affected",
              "version": "11.2.9",
              "versionType": "semver"
            },
            {
              "lessThan": "10.4.19",
              "status": "affected",
              "version": "10.4.18",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Saket Pandey"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eAn access control vulnerability was discovered in Grafana OSS where an Organization administrator could permanently delete the Server administrator account. This vulnerability exists in the DELETE /api/org/users/ endpoint.\u003c/p\u003e\u003cp\u003eThe vulnerability can be exploited when:\u003c/p\u003e\u003cp\u003e1. An Organization administrator exists\u003c/p\u003e\u003cp\u003e2. The Server administrator is either:\u003c/p\u003e\u003ccode\u003e   - Not part of any organization, or\u003c/code\u003e\u003cbr\u003e\u003ccode\u003e   - Part of the same organization as the Organization administrator\u003c/code\u003e\u003cbr\u003e\u003cp\u003eImpact:\u003c/p\u003e\u003cp\u003e- Organization administrators can permanently delete Server administrator accounts\u003c/p\u003e\u003cp\u003e- If the only Server administrator is deleted, the Grafana instance becomes unmanageable\u003c/p\u003e\u003cp\u003e- No super-user permissions remain in the system\u003c/p\u003e\u003cp\u003e- Affects all users, organizations, and teams managed in the instance\u003c/p\u003e\u003cp\u003eThe vulnerability is particularly serious as it can lead to a complete loss of administrative control over the Grafana instance.\u003c/p\u003e"
            }
          ],
          "value": "An access control vulnerability was discovered in Grafana OSS where an Organization administrator could permanently delete the Server administrator account. This vulnerability exists in the DELETE /api/org/users/ endpoint.\n\nThe vulnerability can be exploited when:\n\n1. An Organization administrator exists\n\n2. The Server administrator is either:\n\n   - Not part of any organization, or\n   - Part of the same organization as the Organization administrator\nImpact:\n\n- Organization administrators can permanently delete Server administrator accounts\n\n- If the only Server administrator is deleted, the Grafana instance becomes unmanageable\n\n- No super-user permissions remain in the system\n\n- Affects all users, organizations, and teams managed in the instance\n\nThe vulnerability is particularly serious as it can lead to a complete loss of administrative control over the Grafana instance."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-180",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-180"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "CWE-284",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-17T10:28:18.011Z",
        "orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
        "shortName": "GRAFANA"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://grafana.com/security/security-advisories/cve-2025-3580/"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
    "assignerShortName": "GRAFANA",
    "cveId": "CVE-2025-3580",
    "datePublished": "2025-05-23T13:44:45.974Z",
    "dateReserved": "2025-04-14T10:36:24.956Z",
    "dateUpdated": "2025-07-17T10:28:18.011Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CERTFR-2025-AVI-0447

Vulnerability from certfr_avis

De multiples vulnérabilités ont été découvertes dans Grafana. Elles permettent à un attaquant de provoquer une atteinte à l'intégrité des données et une injection de code indirecte à distance (XSS).

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

	Vendor	Product	Description
	Grafana Labs	Grafana	Grafana toutes versions sans les derniers correctifs de sécurité

References

Title

Publication Time

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted