Grafana is an open-source platform for monitoring and observability. The Grafana Alerting DingDing integration was not properly protected and could be exposed to users with Viewer permission. 
Fixed in versions 10.4.19+security-01, 11.2.10+security-01, 11.3.7+security-01, 11.4.5+security-01, 11.5.5+security-01, 11.6.2+security-01 and 12.0.1+security-01
                
            Metrics
Affected Vendors & Products
References
        History
                    Thu, 17 Jul 2025 14:15:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| Metrics | ssvc 
 | 
Thu, 17 Jul 2025 10:30:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| Description | A flaw exists in Grafana Alerting, where the DingDing contact-point integration URL can be revealed in plain text to users with viewer-level permissions due to misconfigured access control. This disclosure permits unauthorized users to view sensitive webhook URLs, including API tokens or keys, without needing elevated privileges. | Grafana is an open-source platform for monitoring and observability. The Grafana Alerting DingDing integration was not properly protected and could be exposed to users with Viewer permission. Fixed in versions 10.4.19+security-01, 11.2.10+security-01, 11.3.7+security-01, 11.4.5+security-01, 11.5.5+security-01, 11.6.2+security-01 and 12.0.1+security-01 | 
| References |  | |
| Metrics | cvssV3_1 
 | cvssV3_1 
 | 
Wed, 25 Jun 2025 00:30:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| Description | A flaw exists in Grafana Alerting, where the DingDing contact-point integration URL can be revealed in plain text to users with viewer-level permissions due to misconfigured access control. This disclosure permits unauthorized users to view sensitive webhook URLs, including API tokens or keys, without needing elevated privileges. | |
| Title | grafana: Exposure of DingDing alerting integration URL to Viewer level users | |
| Weaknesses | CWE-200 | |
| References |  | |
| Metrics | threat_severity 
 | cvssV3_1 
 
 | 
 MITRE
                        MITRE
                    Status: PUBLISHED
Assigner: GRAFANA
Published: 2025-07-17T10:13:14.717Z
Updated: 2025-07-17T14:05:19.284Z
Reserved: 2025-04-07T14:28:18.797Z
Link: CVE-2025-3415
 Vulnrichment
                        Vulnrichment
                    Updated: 2025-07-17T14:05:09.376Z
 NVD
                        NVD
                    Status : Awaiting Analysis
Published: 2025-07-17T11:15:22.240
Modified: 2025-07-17T21:15:50.197
Link: CVE-2025-3415
 Redhat
                        Redhat
                     ReportizFlow
ReportizFlow