{ "document": { "aggregate_severity": { "text": "Medium" }, "category": "csaf_vex", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_os/almalinux9.2esu/vex/2025/cve-2025-12141-els_os-almalinux9_2esu.json" } ], "tracking": { "current_release_date": "2026-06-01T22:25:35Z", "generator": { "date": "2026-06-01T22:25:35Z", "engine": { "name": "pyCSAF" } }, "id": "CVE-2025-12141-ELS_OS-ALMALINUX9.2ESU", "initial_release_date": "2025-01-01T00:00:00Z", "revision_history": [ { "date": "2025-01-01T00:00:00Z", "number": "1", "summary": "Initial version" }, { "date": "2026-04-21T09:01:15Z", "number": "2", "summary": "Official Publication" }, { "date": "2026-05-12T16:37:45Z", "number": "3", "summary": "Update document" }, { "date": "2026-06-01T22:25:35Z", "number": "4", "summary": "Update document" } ], "status": "final", "version": "4" }, "title": "Security update on CVE-2025-12141" }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "AlmaLinux 9.2", "product": { "name": "AlmaLinux 9.2", "product_id": "AlmaLinux-9.2", "product_identification_helper": { "cpe": "cpe:2.3:o:almalinux:almalinux:9.2:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "AlmaLinux" }, { "branches": [ { "category": "product_version", "name": "grafana-0:9.0.9-4.el9_2.alma.1.x86_64", "product": { "name": "grafana-0:9.0.9-4.el9_2.alma.1.x86_64", "product_id": "grafana-0:9.0.9-4.el9_2.alma.1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/almalinux/grafana@9.0.9-4.el9_2.alma.1?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" } ], "category": "vendor", "name": "AlmaLinux OS Foundation" }, { "branches": [ { "branches": [ { "category": "product_version", "name": "grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els9.x86_64", "product": { "name": "grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els9.x86_64", "product_id": "grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els9.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/grafana@9.0.9-4.el9_2.alma.1.tuxcare.els9?arch=x86_64" } } }, { "category": "product_version", "name": "grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els14.x86_64", "product": { "name": "grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els14.x86_64", "product_id": "grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els14.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/grafana@9.0.9-4.el9_2.alma.1.tuxcare.els14?arch=x86_64" } } }, { "category": "product_version", "name": "grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els12.x86_64", "product": { "name": "grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els12.x86_64", "product_id": "grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els12.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/grafana@9.0.9-4.el9_2.alma.1.tuxcare.els12?arch=x86_64" } } }, { "category": "product_version", "name": "grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els2.x86_64", "product": { "name": "grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els2.x86_64", "product_id": "grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els2.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/grafana@9.0.9-4.el9_2.alma.1.tuxcare.els2?arch=x86_64" } } }, { "category": "product_version", "name": "grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els6.x86_64", "product": { "name": "grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els6.x86_64", "product_id": "grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els6.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/grafana@9.0.9-4.el9_2.alma.1.tuxcare.els6?arch=x86_64" } } }, { "category": "product_version", "name": "grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els10.x86_64", "product": { "name": "grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els10.x86_64", "product_id": "grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els10.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/grafana@9.0.9-4.el9_2.alma.1.tuxcare.els10?arch=x86_64" } } }, { "category": "product_version", "name": "grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els1.x86_64", "product": { "name": "grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els1.x86_64", "product_id": "grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/grafana@9.0.9-4.el9_2.alma.1.tuxcare.els1?arch=x86_64" } } }, { "category": "product_version", "name": "grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els13.x86_64", "product": { "name": "grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els13.x86_64", "product_id": "grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els13.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/grafana@9.0.9-4.el9_2.alma.1.tuxcare.els13?arch=x86_64" } } }, { "category": "product_version", "name": "grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els3.x86_64", "product": { "name": "grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els3.x86_64", "product_id": "grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els3.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/grafana@9.0.9-4.el9_2.alma.1.tuxcare.els3?arch=x86_64" } } }, { "category": "product_version", "name": "grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els11.x86_64", "product": { "name": "grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els11.x86_64", "product_id": "grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els11.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/grafana@9.0.9-4.el9_2.alma.1.tuxcare.els11?arch=x86_64" } } }, { "category": "product_version", "name": "grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els15.x86_64", "product": { "name": "grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els15.x86_64", "product_id": "grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els15.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/grafana@9.0.9-4.el9_2.alma.1.tuxcare.els15?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" } ], "category": "vendor", "name": "TuxCare" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els9.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els9.x86_64" }, "product_reference": "grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els9.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els14.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els14.x86_64" }, "product_reference": "grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els14.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els12.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els12.x86_64" }, "product_reference": "grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els12.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els2.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els2.x86_64" }, "product_reference": "grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els2.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els6.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els6.x86_64" }, "product_reference": "grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els6.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els10.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els10.x86_64" }, "product_reference": "grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els10.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els1.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els1.x86_64" }, "product_reference": "grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els1.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els13.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els13.x86_64" }, "product_reference": "grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els13.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els3.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els3.x86_64" }, "product_reference": "grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els3.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els11.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els11.x86_64" }, "product_reference": "grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els11.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "grafana-0:9.0.9-4.el9_2.alma.1.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:grafana-0:9.0.9-4.el9_2.alma.1.x86_64" }, "product_reference": "grafana-0:9.0.9-4.el9_2.alma.1.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els15.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els15.x86_64" }, "product_reference": "grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els15.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" } ] }, "vulnerabilities": [ { "cve": "CVE-2025-12141", "cwe": { "id": "CWE-200", "name": "Exposure of Sensitive Information to an Unauthorized Actor" }, "notes": [ { "category": "description", "text": "In Grafana's alerting system, users with edit permissions for a contact point, specifically the permissions “alert.notifications:write” or “alert.notifications.receivers:test” that are granted as part of the fixed role \"Contact Point Writer\", which is part of the basic role Editor - can edit contact points created by other users, modify the endpoint URL to a controlled server. By invoking the test functionality, attackers can capture and extract redacted secure settings, such as authentication credentials for third-party services (e.g., Slack tokens). This leads to unauthorized access and potential compromise of external integrations.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "known_affected": [ "AlmaLinux-9.2:grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els1.x86_64", "AlmaLinux-9.2:grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els10.x86_64", "AlmaLinux-9.2:grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els11.x86_64", "AlmaLinux-9.2:grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els12.x86_64", "AlmaLinux-9.2:grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els13.x86_64", "AlmaLinux-9.2:grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els14.x86_64", "AlmaLinux-9.2:grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els15.x86_64", "AlmaLinux-9.2:grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els2.x86_64", "AlmaLinux-9.2:grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els3.x86_64", "AlmaLinux-9.2:grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els6.x86_64", "AlmaLinux-9.2:grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els9.x86_64", "AlmaLinux-9.2:grafana-0:9.0.9-4.el9_2.alma.1.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2025-12141" }, { "category": "external", "summary": "https://grafana.com/security/security-advisories/cve-2025-12141/", "url": "https://grafana.com/security/security-advisories/cve-2025-12141/" } ], "release_date": "2026-04-15T16:16:00Z", "remediations": [ { "category": "no_fix_planned", "date": "2026-06-01T20:44:16.529730Z", "details": "CVE-2025-12141 describes an access control gap in Grafana's alerting subsystem: a user with Viewer role can invoke the receiver test endpoint, which internally loads secure notification channel settings, potentially exposing sensitive credentials (SMTP passwords, webhook tokens). The vulnerability affects Grafana versions 8.0.0 through 12.2.x; grafana 9.0.9 is within the affected range. A safe backport is not feasible — the required RBAC middleware changes carry significant regression risk for alerting functionality in this version. Recommendation: restrict Grafana access to authenticated, trusted users only and avoid granting Viewer access to untrusted users on instances with sensitive notification channels configured. Customers requiring a patched version should consider upgrading to Grafana 12.3.0 or later.", "product_ids": [ "AlmaLinux-9.2:grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els1.x86_64", "AlmaLinux-9.2:grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els10.x86_64", "AlmaLinux-9.2:grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els11.x86_64", "AlmaLinux-9.2:grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els12.x86_64", "AlmaLinux-9.2:grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els13.x86_64", "AlmaLinux-9.2:grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els14.x86_64", "AlmaLinux-9.2:grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els15.x86_64", "AlmaLinux-9.2:grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els2.x86_64", "AlmaLinux-9.2:grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els3.x86_64", "AlmaLinux-9.2:grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els6.x86_64", "AlmaLinux-9.2:grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els9.x86_64", "AlmaLinux-9.2:grafana-0:9.0.9-4.el9_2.alma.1.x86_64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" }, "products": [ "AlmaLinux-9.2:grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els1.x86_64", "AlmaLinux-9.2:grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els10.x86_64", "AlmaLinux-9.2:grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els11.x86_64", "AlmaLinux-9.2:grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els12.x86_64", "AlmaLinux-9.2:grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els13.x86_64", "AlmaLinux-9.2:grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els14.x86_64", "AlmaLinux-9.2:grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els15.x86_64", "AlmaLinux-9.2:grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els2.x86_64", "AlmaLinux-9.2:grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els3.x86_64", "AlmaLinux-9.2:grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els6.x86_64", "AlmaLinux-9.2:grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els9.x86_64", "AlmaLinux-9.2:grafana-0:9.0.9-4.el9_2.alma.1.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] } ] }