All news with #grafana tag

Grafana warns of critical admin-spoofing flaw in Enterprise

⚠️ Grafana Labs has disclosed a maximum-severity vulnerability (CVE-2025-41115) in Grafana Enterprise that can allow new SCIM-provisioned users to be treated as administrators or used for privilege escalation. The flaw is only exploitable when SCIM provisioning is enabled and both the 'enableSCIM' feature flag and 'user_sync_enabled' option are true, because numeric SCIM externalId values were mapped directly to internal user.uid values. Affected self-managed Enterprise releases include 12.0.0 through 12.2.1; administrators should upgrade to a patched release (12.3.0, 12.2.1, 12.1.3, or 12.0.6) or disable SCIM. Grafana Cloud and managed services have already received patches.

Grafana fixes critical SCIM flaw enabling user impersonation

🔒 Grafana has released security updates to address a maximum-severity flaw (CVE-2025-41115) in its SCIM provisioning component that can enable user impersonation or privilege escalation under specific configurations. The issue allows a malicious or compromised SCIM client to provision a user with a numeric externalId that may be mapped to an internal user ID. It affects Grafana Enterprise 12.0.0–12.2.1 and was fixed in 12.0.6+security-01, 12.1.3+security-01, 12.2.1+security-01 and 12.3.0. Grafana discovered the bug during an audit on November 4, 2025 and urges immediate patching.

CISA Adds Grafana Path Traversal to KEV Catalog Notice

📢 CISA has added CVE-2021-43798 — a Grafana path traversal vulnerability — to its Known Exploited Vulnerabilities (KEV) Catalog following evidence of active exploitation. The agency notes that path traversal is a frequent attack vector that poses significant risk to the federal enterprise. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate KEV entries by required due dates. CISA strongly urges all organizations to prioritize remediation and will continue updating the KEV Catalog.

Surge in Scans Targeting Palo Alto Network Login Portals

🔍 GreyNoise has observed a roughly 500% rise in IP addresses scanning Palo Alto Networks login portals, primarily emulating GlobalProtect and PAN-OS profiles. Activity peaked on October 3 with more than 1,285 unique IPs—typical daily scans are usually under 200—while most sources were geolocated to the United States with smaller clusters in the UK, Netherlands, Canada, and Russia. GreyNoise classified 91% of the IPs as suspicious and 7% as malicious, noting clusters with distinct TLS fingerprints and warning this reconnaissance could precede exploitation attempts; administrators should verify device exposure and monitoring.