CVE-2024-10452Authorization Bypass Through User-Controlled Key in Grafana Grafana

CWE-639Authorization Bypass Through User-Controlled Key7 documents5 sources
Severity
2.7LOWNVD
CNA2.2
EPSS
0.2%
top 55.87%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Github.com Grafana GrafanaGrafana
Timeline
PublishedOct 29
Latest updateNov 4

Description

Organization admins can delete pending invites created in an organization they are not part of.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:NExploitability: 1.2 | Impact: 1.4

Affected Packages3 packages

CVEListV5grafana/grafana10.4.0
NVDgrafana/grafana10.4.0

🔴Vulnerability Details

5
OSV
Grafana org admin can delete pending invites in different org in github.com/grafana/grafana2024-11-04
OSV
CVE-2024-10452: Organization admins can delete pending invites created in an organization they are not part of2024-10-29
GHSA
Grafana org admin can delete pending invites in different org2024-10-29
OSV
Grafana org admin can delete pending invites in different org2024-10-29
CVEList
CVE-2024-10452: Organization admins can delete pending invites created in an organization they are not part of2024-10-29

📋Vendor Advisories

1
Red Hat
grafana: Org admin can delete pending invites in different org2024-10-29
CVE-2024-10452 — Grafana Grafana vulnerability | cvebase