Vulnerability Report: GO-2025-3438
- CVE-2024-11741, GHSA-wxcc-2f3q-4h58
- Affects: github.com/grafana/grafana
- Published: Feb 04, 2025
- Unreviewed
Grafana Alerting VictorOps integration could be exposed to users with Viewer permission in github.com/grafana/grafana. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/grafana/grafana before v10.4.15, from v11.0.0 before v11.0.11, from v11.1.0 before v11.1.11, from v11.2.0 before v11.2.6, from v11.3.0 before v11.3.3, from v11.4.0 before v11.4.1.
For detailed information about this vulnerability, visit https://github.com/advisories/GHSA-wxcc-2f3q-4h58 or https://nvd.nist.gov/vuln/detail/CVE-2024-11741.
Affected Modules
-
PathGo VersionsCustom Versions*
-
all versions, no known fixedbefore 10.4.15, from 11.0.0 before 11.0.11, from 11.1.0 before 11.1.11, from 11.2.0 before 11.2.6, from 11.3.0 before 11.3.3, from 11.4.0 before 11.4.1
*Custom versions, which can't be mapped automatically to standard Go module versions, are ignored by govulncheck
. (See this note on versions for more details.)
Aliases
References
- https://github.com/advisories/GHSA-wxcc-2f3q-4h58
- https://nvd.nist.gov/vuln/detail/CVE-2024-11741
- https://grafana.com/security/security-advisories/cve-2024-11741
- https://vuln.go.dev/ID/GO-2025-3438.json