4.3

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-3415

CVE-2025-3415: Grafana's insecure DingDing Alert integration exposes sensitive information

Grafana is an open-source platform for monitoring and observability. The Grafana Alerting DingDing integration was not properly protected and could be exposed to users with Viewer permission. Fixed in versions 10.4.19+security-01, 11.2.10+security-01, 11.3.7+security-01, 11.4.5+security-01, 11.5.5+security-01, 11.6.2+security-01 and 12.0.1+security-01

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-3415

CVE-2025-3415:

4.3

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/grafana/grafana	go	< 1.9.2-0.20250514160932-04111e9f2afd	1.9.2-0.20250514160932-04111e9f2afd

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability exists because the DingDing alerter's webhook URL was not configured as a secure field, allowing users with Viewer permissions to access it. The provided patches address this by marking the 'url' field for the DingDing notifier as 'Secure: true' in pkg/services/ngalert/notifier/channels_config/available_channels.go. Consequently, the alertmanager.buildReceiverIntegrations function in pkg/services/ngalert/notifier/alertmanager.go was modified to handle this new secret field. A new function, patchNewSecureFields, is introduced and called from buildReceiverIntegrations to decrypt the DingDing URL before the receiver configuration is built. Without this patch, buildReceiverIntegrations would process the DingDing configuration with the sensitive URL in plaintext, making it accessible to unauthorized users. Therefore, alertmanager.buildReceiverIntegrations is the primary function that would be observed in a runtime profile during the exploitation of this vulnerability, as it is the function that handles the insecurely stored sensitive information.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

4.3

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-3415: Grafana's insecure DingDing Alert integration exposes sensitive information

CVE-2025-3415:

4.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2025-3415: Grafana's insecure DingDing Alert integration exposes sensitive information

Basic Information

Basic Information

Technical Details

4.3

4.3

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI