GHSA-46m5-8hpj-p5p5

Suggest an improvement
Source
https://github.com/advisories/GHSA-46m5-8hpj-p5p5
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-46m5-8hpj-p5p5/GHSA-46m5-8hpj-p5p5.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-46m5-8hpj-p5p5
Aliases
Downstream
Published
2025-07-17T12:30:37Z
Modified
2025-07-29T19:44:38.662091Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
Grafana's insecure DingDing Alert integration exposes sensitive information
Details

Grafana is an open-source platform for monitoring and observability. The Grafana Alerting DingDing integration was not properly protected and could be exposed to users with Viewer permission. Fixed in versions 10.4.19+security-01, 11.2.10+security-01, 11.3.7+security-01, 11.4.5+security-01, 11.5.5+security-01, 11.6.2+security-01 and 12.0.1+security-01.

Database specific
{
    "nvd_published_at": "2025-07-17T11:15:22Z",
    "github_reviewed": true,
    "severity": "MODERATE",
    "github_reviewed_at": "2025-07-18T18:37:08Z",
    "cwe_ids": [
        "CWE-200"
    ]
}
References

Affected packages

Go / github.com/grafana/grafana

Package

Name
github.com/grafana/grafana
View open source insights on deps.dev
Purl
pkg:golang/github.com/grafana/grafana

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.9.2-0.20250514160932-04111e9f2afd