CVE-2025-3454 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2025-3454 Interim 1 12 2026-03-05T01:32:50Z current 2025-04-24T23:16:13Z 2026-03-05T01:32:50Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2025-3454 This vulnerability in Grafana's datasource proxy API allows authorization checks to be bypassed by adding an extra slash character in the URL path. Users with minimal permissions could gain unauthorized read access to GET endpoints in Alertmanager and Prometheus datasources. The issue primarily affects datasources that implement route-specific permissions, including Alertmanager and certain Prometheus-based datasources. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://lists.suse.com/pipermail/sle-updates/2025-June/040353.html E-Mail link for SUSE-SU-2025:01985-1 https://lists.suse.com/pipermail/sle-updates/2025-June/040351.html E-Mail link for SUSE-SU-2025:01987-1 https://lists.suse.com/pipermail/sle-updates/2025-June/040349.html E-Mail link for SUSE-SU-2025:01989-1 https://lists.suse.com/pipermail/sle-updates/2025-June/040347.html E-Mail link for SUSE-SU-2025:01991-1 https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/2PKSIUOW7HIED3L6UVUD2KMZSPDHNUTO/ E-Mail link for openSUSE-SU-2025:15052-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings Image SL-Micro Image SL-Micro-Base Image SL-Micro-Base-RT Image SL-Micro-Base-RT-SelfInstall Image SL-Micro-Base-RT-encrypted Image SL-Micro-Base-SelfInstall Image SL-Micro-Base-encrypted Image SL-Micro-Base-qcow Image SL-Micro-Default Image SL-Micro-Default-SelfInstall Image SL-Micro-Default-encrypted Image SL-Micro-Default-qcow Image SLE-Micro Image SLE-Micro-Azure Image SLE-Micro-BYOS Image SLE-Micro-BYOS-Azure Image SLE-Micro-BYOS-EC2 Image SLE-Micro-BYOS-GCE Image SLE-Micro-EC2 Image SLE-Micro-GCE Image SLES15-SP4-Manager-Server-4-3-BYOS Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2 Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE SUSE Linux Enterprise Module for Package Hub 15 SP6 SUSE Linux Enterprise Module for Package Hub 15 SP7 SUSE Linux Enterprise Server 12 SP3-TERADATA SUSE Linux Enterprise Server 12 SP5-LTSS SUSE Linux Enterprise Server 16.0 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 SUSE Manager Client Tools 12 SUSE Manager Client Tools 15 SUSE Manager Client Tools for SLE Micro 5 SUSE Manager Proxy Module 4.3 SUSE Manager Server 4.3 SUSE Multi-Linux Manager Client Tools for SLE 12 SUSE Multi-Linux Manager Client Tools for SLE 15 openSUSE Leap 15.6 openSUSE Tumbleweed firewalld-prometheus-config-0.1-150000.3.62.2 gnutls-3.8.3-slfo.1.1_5.1 golang-github-prometheus-alertmanager-0.26.0-1.31.2 golang-github-prometheus-node_exporter-1.9.1-1.36.2 golang-github-prometheus-prometheus-2.53.4-1.60.2 golang-github-prometheus-prometheus-2.53.4-150000.3.62.2 govulncheck-vulndb-0.0.20250612T141001-1.1 govulncheck-vulndb-0.0.20250814T182633-160000.1.2 grafana grafana-11.5.4-1.1 grafana-11.5.5-1.79.2 grafana-11.5.5-150000.1.79.1 grafana-11.5.5-150200.3.72.2 libgnutls30-3.8.3-slfo.1.1_5.1 prometheus-blackbox_exporter-0.26.0-1.27.1 prometheus-blackbox_exporter-0.26.0-150000.1.27.1 release-notes-susemanager-4.3.15.2-150400.3.133.1 gnutls-3.8.3-slfo.1.1_5.1 as a component of Image SL-Micro libgnutls30-3.8.3-slfo.1.1_5.1 as a component of Image SL-Micro libgnutls30-3.8.3-slfo.1.1_5.1 as a component of Image SL-Micro-Base libgnutls30-3.8.3-slfo.1.1_5.1 as a component of Image SL-Micro-Base-RT libgnutls30-3.8.3-slfo.1.1_5.1 as a component of Image SL-Micro-Base-RT-SelfInstall libgnutls30-3.8.3-slfo.1.1_5.1 as a component of Image SL-Micro-Base-RT-encrypted libgnutls30-3.8.3-slfo.1.1_5.1 as a component of Image SL-Micro-Base-SelfInstall libgnutls30-3.8.3-slfo.1.1_5.1 as a component of Image SL-Micro-Base-encrypted libgnutls30-3.8.3-slfo.1.1_5.1 as a component of Image SL-Micro-Base-qcow gnutls-3.8.3-slfo.1.1_5.1 as a component of Image SL-Micro-Default libgnutls30-3.8.3-slfo.1.1_5.1 as a component of Image SL-Micro-Default gnutls-3.8.3-slfo.1.1_5.1 as a component of Image SL-Micro-Default-SelfInstall libgnutls30-3.8.3-slfo.1.1_5.1 as a component of Image SL-Micro-Default-SelfInstall gnutls-3.8.3-slfo.1.1_5.1 as a component of Image SL-Micro-Default-encrypted libgnutls30-3.8.3-slfo.1.1_5.1 as a component of Image SL-Micro-Default-encrypted gnutls-3.8.3-slfo.1.1_5.1 as a component of Image SL-Micro-Default-qcow libgnutls30-3.8.3-slfo.1.1_5.1 as a component of Image SL-Micro-Default-qcow libgnutls30-3.8.3-slfo.1.1_5.1 as a component of Image SLE-Micro libgnutls30-3.8.3-slfo.1.1_5.1 as a component of Image SLE-Micro-Azure libgnutls30-3.8.3-slfo.1.1_5.1 as a component of Image SLE-Micro-BYOS libgnutls30-3.8.3-slfo.1.1_5.1 as a component of Image SLE-Micro-BYOS-Azure libgnutls30-3.8.3-slfo.1.1_5.1 as a component of Image SLE-Micro-BYOS-EC2 libgnutls30-3.8.3-slfo.1.1_5.1 as a component of Image SLE-Micro-BYOS-GCE libgnutls30-3.8.3-slfo.1.1_5.1 as a component of Image SLE-Micro-EC2 libgnutls30-3.8.3-slfo.1.1_5.1 as a component of Image SLE-Micro-GCE release-notes-susemanager-4.3.15.2-150400.3.133.1 as a component of Image SLES15-SP4-Manager-Server-4-3-BYOS release-notes-susemanager-4.3.15.2-150400.3.133.1 as a component of Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure release-notes-susemanager-4.3.15.2-150400.3.133.1 as a component of Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2 release-notes-susemanager-4.3.15.2-150400.3.133.1 as a component of Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE grafana-11.5.5-150200.3.72.2 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP6 grafana-11.5.5-150200.3.72.2 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP7 golang-github-prometheus-node_exporter-1.9.1-1.36.2 as a component of SUSE Linux Enterprise Server 12 SP3-TERADATA golang-github-prometheus-node_exporter-1.9.1-1.36.2 as a component of SUSE Linux Enterprise Server 12 SP5-LTSS govulncheck-vulndb-0.0.20250814T182633-160000.1.2 as a component of SUSE Linux Enterprise Server 16.0 golang-github-prometheus-node_exporter-1.9.1-1.36.2 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 golang-github-prometheus-alertmanager-0.26.0-1.31.2 as a component of SUSE Manager Client Tools 12 golang-github-prometheus-node_exporter-1.9.1-1.36.2 as a component of SUSE Manager Client Tools 12 golang-github-prometheus-prometheus-2.53.4-1.60.2 as a component of SUSE Manager Client Tools 12 grafana-11.5.5-1.79.2 as a component of SUSE Manager Client Tools 12 prometheus-blackbox_exporter-0.26.0-1.27.1 as a component of SUSE Manager Client Tools 12 firewalld-prometheus-config-0.1-150000.3.62.2 as a component of SUSE Manager Client Tools 15 golang-github-prometheus-prometheus-2.53.4-150000.3.62.2 as a component of SUSE Manager Client Tools 15 grafana-11.5.5-150000.1.79.1 as a component of SUSE Manager Client Tools 15 prometheus-blackbox_exporter-0.26.0-150000.1.27.1 as a component of SUSE Manager Client Tools 15 prometheus-blackbox_exporter-0.26.0-150000.1.27.1 as a component of SUSE Manager Client Tools for SLE Micro 5 prometheus-blackbox_exporter-0.26.0-150000.1.27.1 as a component of SUSE Manager Proxy Module 4.3 release-notes-susemanager-4.3.15.2-150400.3.133.1 as a component of SUSE Manager Server 4.3 grafana-11.5.5-150200.3.72.2 as a component of openSUSE Leap 15.6 prometheus-blackbox_exporter-0.26.0-150000.1.27.1 as a component of openSUSE Leap 15.6 govulncheck-vulndb-0.0.20250612T141001-1.1 as a component of openSUSE Tumbleweed grafana-11.5.4-1.1 as a component of openSUSE Tumbleweed grafana as a component of SUSE Multi-Linux Manager Client Tools for SLE 12 grafana as a component of SUSE Multi-Linux Manager Client Tools for SLE 15 This vulnerability in Grafana's datasource proxy API allows authorization checks to be bypassed by adding an extra slash character in the URL path. Users with minimal permissions could gain unauthorized read access to GET endpoints in Alertmanager and Prometheus datasources. The issue primarily affects datasources that implement route-specific permissions, including Alertmanager and certain Prometheus-based datasources. CVE-2025-3454 Image SL-Micro:gnutls-3.8.3-slfo.1.1_5.1 Image SL-Micro:libgnutls30-3.8.3-slfo.1.1_5.1 Image SL-Micro-Base:libgnutls30-3.8.3-slfo.1.1_5.1 Image SL-Micro-Base-RT:libgnutls30-3.8.3-slfo.1.1_5.1 Image SL-Micro-Base-RT-SelfInstall:libgnutls30-3.8.3-slfo.1.1_5.1 Image SL-Micro-Base-RT-encrypted:libgnutls30-3.8.3-slfo.1.1_5.1 Image SL-Micro-Base-SelfInstall:libgnutls30-3.8.3-slfo.1.1_5.1 Image SL-Micro-Base-VMware:libgnutls30-3.8.3-slfo.1.1_5.1 Image SL-Micro-Base-encrypted:libgnutls30-3.8.3-slfo.1.1_5.1 Image SL-Micro-Base-qcow:libgnutls30-3.8.3-slfo.1.1_5.1 Image SL-Micro-Default:gnutls-3.8.3-slfo.1.1_5.1 Image SL-Micro-Default:libgnutls30-3.8.3-slfo.1.1_5.1 Image SL-Micro-Default-SelfInstall:gnutls-3.8.3-slfo.1.1_5.1 Image SL-Micro-Default-SelfInstall:libgnutls30-3.8.3-slfo.1.1_5.1 Image SL-Micro-Default-VMware:gnutls-3.8.3-slfo.1.1_5.1 Image SL-Micro-Default-VMware:libgnutls30-3.8.3-slfo.1.1_5.1 Image SL-Micro-Default-encrypted:gnutls-3.8.3-slfo.1.1_5.1 Image SL-Micro-Default-encrypted:libgnutls30-3.8.3-slfo.1.1_5.1 Image SL-Micro-Default-qcow:gnutls-3.8.3-slfo.1.1_5.1 Image SL-Micro-Default-qcow:libgnutls30-3.8.3-slfo.1.1_5.1 Image SLE-Micro:libgnutls30-3.8.3-slfo.1.1_5.1 Image SLE-Micro-Azure:libgnutls30-3.8.3-slfo.1.1_5.1 Image SLE-Micro-BYOS:libgnutls30-3.8.3-slfo.1.1_5.1 Image SLE-Micro-BYOS-Azure:libgnutls30-3.8.3-slfo.1.1_5.1 Image SLE-Micro-BYOS-EC2:libgnutls30-3.8.3-slfo.1.1_5.1 Image SLE-Micro-BYOS-GCE:libgnutls30-3.8.3-slfo.1.1_5.1 Image SLE-Micro-EC2:libgnutls30-3.8.3-slfo.1.1_5.1 Image SLE-Micro-GCE:libgnutls30-3.8.3-slfo.1.1_5.1 Image SLES15-SP4-Manager-Server-4-3-BYOS:release-notes-susemanager-4.3.15.2-150400.3.133.1 Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure:release-notes-susemanager-4.3.15.2-150400.3.133.1 Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2:release-notes-susemanager-4.3.15.2-150400.3.133.1 Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE:release-notes-susemanager-4.3.15.2-150400.3.133.1 SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.5-150200.3.72.2 SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.5-150200.3.72.2 SUSE Linux Enterprise Server 12 SP3-TERADATA:golang-github-prometheus-node_exporter-1.9.1-1.36.2 SUSE Linux Enterprise Server 12 SP5-LTSS:golang-github-prometheus-node_exporter-1.9.1-1.36.2 SUSE Linux Enterprise Server 16.0:govulncheck-vulndb-0.0.20250814T182633-160000.1.2 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:golang-github-prometheus-node_exporter-1.9.1-1.36.2 SUSE Manager Client Tools 12:golang-github-prometheus-alertmanager-0.26.0-1.31.2 SUSE Manager Client Tools 12:golang-github-prometheus-node_exporter-1.9.1-1.36.2 SUSE Manager Client Tools 12:golang-github-prometheus-prometheus-2.53.4-1.60.2 SUSE Manager Client Tools 12:grafana-11.5.5-1.79.2 SUSE Manager Client Tools 12:prometheus-blackbox_exporter-0.26.0-1.27.1 SUSE Manager Client Tools 15:firewalld-prometheus-config-0.1-150000.3.62.2 SUSE Manager Client Tools 15:golang-github-prometheus-prometheus-2.53.4-150000.3.62.2 SUSE Manager Client Tools 15:grafana-11.5.5-150000.1.79.1 SUSE Manager Client Tools 15:prometheus-blackbox_exporter-0.26.0-150000.1.27.1 SUSE Manager Client Tools for SLE Micro 5:prometheus-blackbox_exporter-0.26.0-150000.1.27.1 SUSE Manager Proxy Module 4.3:prometheus-blackbox_exporter-0.26.0-150000.1.27.1 SUSE Manager Server 4.3:release-notes-susemanager-4.3.15.2-150400.3.133.1 openSUSE Leap 15.6:grafana-11.5.5-150200.3.72.2 openSUSE Leap 15.6:prometheus-blackbox_exporter-0.26.0-150000.1.27.1 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250612T141001-1.1 openSUSE Tumbleweed:grafana-11.5.4-1.1 moderate 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N