CVE-2024-1313
published 2024-03-26CVE-2024-1313: It is possible for a user in a different organization from the owner of a snapshot to bypass authorization and delete a snapshot by issuing a DELETE request to…
PriorityP340medium6.5CVSS 3.1
AVNACLPRLUINSUCNIHAN
EPSS
0.65%
46.3th percentile
It is possible for a user in a different organization from the owner of a snapshot to bypass authorization and delete a snapshot by issuing a DELETE request to /api/snapshots/ using its view key. This functionality is intended to only be available to individuals with the permission to write/edit to the snapshot in question, but due to a bug in the authorization logic, deletion requests issued by an unprivileged user in a different organization than the snapshot owner are treated as authorized.
Grafana Labs would like to thank Ravid Mazon and Jay Chen of Palo
Alto Research for discovering and disclosing this vulnerability.
This issue affects Grafana: from 9.5.0 before 9.5.18, from 10.0.0 before 10.0.13, from 10.1.0 before 10.1.9, from 10.2.0 before 10.2.6, from 10.3.0 before 10.3.5.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | grafana_grafana | >= 10.0.0 < 10.0.13 | 10.0.13 |
| github.com | grafana_grafana | >= 10.1.0 < 10.1.9 | 10.1.9 |
| github.com | grafana_grafana | >= 10.2.0 < 10.2.6 | 10.2.6 |
| github.com | grafana_grafana | >= 10.3.0 < 10.3.5 | 10.3.5 |
| github.com | grafana_grafana | >= 9.5.0 < 9.5.18 | 9.5.18 |
| grafana | grafana | >= 10.0.0 < 10.0.13 | 10.0.13 |
| grafana | grafana | >= 10.1.0 < 10.1.9 | 10.1.9 |
| grafana | grafana | >= 10.2.0 < 10.2.6 | 10.2.6 |
| grafana | grafana | >= 10.3.0 < 10.3.5 | 10.3.5 |
| grafana | grafana | >= 9.5.0 < 9.5.18 | 9.5.18 |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
osv6.5MEDIUM
vendor_redhat6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Grafana: Users outside an organization can delete a snapshot with its key in github.com/grafana/grafana
osv·2024-06-05
CVE-2024-1313 Grafana: Users outside an organization can delete a snapshot with its key in github.com/grafana/grafana
Grafana: Users outside an organization can delete a snapshot with its key in github.com/grafana/grafana
Grafana: Users outside an organization can delete a snapshot with its key in github.com/grafana/grafana.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affected modules and versions are: github.com/grafana/grafana from v9.5.0 before v9.5.18, from v10.0.0 before v10.0.13, from v10.1.0 before v10.1.9, from v10.2.0 before v10.2.6, from v10.3.0 before v10.3.5.
OSV
Grafana: Users outside an organization can delete a snapshot with its key
osv·2024-04-05
CVE-2024-1313 [HIGH] Grafana: Users outside an organization can delete a snapshot with its key
Grafana: Users outside an organization can delete a snapshot with its key
### Summary
The ***DELETE /api/snapshots/{key}*** endpoint allows any Grafana user to delete snapshots if the user is NOT in the organization of the snapshot
### Details
An attacker (a user without organization affiliation or with a "no basic role" in an organization other than the one where the dashboard exists), knowing the key or URL of a snapshot created by any user (including Grafana admins), can delete a snapshot (It is not feasible using UI), resulting in a BOLA vulnerability.
If an attacker is in the same organization of the dashboard snapshot, he can’t delete the snapshot. However, an attacker with low-privilege from a different organization would be able to delete it, resulting in the authorization flaw.
GHSA
Grafana: Users outside an organization can delete a snapshot with its key
ghsa·2024-04-05
CVE-2024-1313 [HIGH] CWE-639 Grafana: Users outside an organization can delete a snapshot with its key
Grafana: Users outside an organization can delete a snapshot with its key
### Summary
The ***DELETE /api/snapshots/{key}*** endpoint allows any Grafana user to delete snapshots if the user is NOT in the organization of the snapshot
### Details
An attacker (a user without organization affiliation or with a "no basic role" in an organization other than the one where the dashboard exists), knowing the key or URL of a snapshot created by any user (including Grafana admins), can delete a snapshot (It is not feasible using UI), resulting in a BOLA vulnerability.
If an attacker is in the same organization of the dashboard snapshot, he can’t delete the snapshot. However, an attacker with low-privilege from a different organization would be able to delete it, resulting in the authorization flaw.
OSV
CVE-2024-1313: It is possible for a user in a different organization from the owner of a snapshot to bypass authorization and delete a snapshot by issuing a DELETE r
osv·2024-03-26·CVSS 6.5
CVE-2024-1313 [MEDIUM] CVE-2024-1313: It is possible for a user in a different organization from the owner of a snapshot to bypass authorization and delete a snapshot by issuing a DELETE r
It is possible for a user in a different organization from the owner of a snapshot to bypass authorization and delete a snapshot by issuing a DELETE request to /api/snapshots/ using its view key. This functionality is intended to only be available to individuals with the permission to write/edit to the snapshot in question, but due to a bug in the authorization logic, deletion requests issued by an unprivileged user in a different organization than the snapshot owner are treated as authorized. Grafana Labs would like to thank Ravid Mazon and Jay Chen of Palo Alto Research for discovering and disclosing this vulnerability. This issue affects Grafana: from 9.5.0 before 9.5.18, from 10.0.0 before 10.0.13, from 10.1.0 before 10.1.9, from 10.2.0 before 10.2.6, from 10.3.0 before 10.3.5.
Red Hat
grafana: vulnerable to authorization bypass
vendor_redhat·2024-03-26·CVSS 6.5
CVE-2024-1313 [MEDIUM] CWE-639 grafana: vulnerable to authorization bypass
grafana: vulnerable to authorization bypass
It is possible for a user in a different organization from the owner of a snapshot to bypass authorization and delete a snapshot by issuing a DELETE request to /api/snapshots/ using its view key. This functionality is intended to only be available to individuals with the permission to write/edit to the snapshot in question, but due to a bug in the authorization logic, deletion requests issued by an unprivileged user in a different organization than the snapshot owner are treated as authorized.
Grafana Labs would like to thank Ravid Mazon and Jay Chen of Palo
Alto Research for discovering and disclosing this vulnerability.
This issue affects Grafana: from 9.5.0 before 9.5.18, from 10.0.0 before 10.0.13, from 10.1.0 before 10.1.9, from 10.2.0 befo
No detection rules found.
No public exploits indexed.
Unit42
Harnessing LLMs for Automating BOLA Detection
blogs_unit42·2024-08-12·CVSS 7.7
[HIGH] Harnessing LLMs for Automating BOLA Detection
## Executive Summary
This post presents our research on a methodology we call BOLABuster, which uses large language models (LLMs) to detect broken object level authorization (BOLA) vulnerabilities. By automating BOLA detection at scale, we will show promising results in identifying these vulnerabilities in open-source projects.
BOLA is a widespread and potentially critical vulnerability in modern APIs and web applications. While manually exploiting BOLA vulnerabilities is usually straightforward, automatically identifying new BOLAs is challenging for the following reasons:
- The complexities of application logic
- The diverse range of input parameters
- The stateful nature of modern web applications
For these reasons, traditional methodologies like fuzzing and static analysis are ineff
Unit42
Harnessing LLMs for Automating BOLA Detection
blogs_unit42·2024-08-12·CVSS 7.7
[HIGH] Harnessing LLMs for Automating BOLA Detection
## Harnessing LLMs for Automating BOLA Detection
Ravid Mazon
Jay Chen
Published: August 12, 2024
Threat Research
Vulnerabilities
API
BOLA
GenAI
LLM
Web application firewall
## Executive Summary
This post presents our research on a methodology we call BOLABuster, which uses large language models (LLMs) to detect broken object level authorization (BOLA) vulnerabilities. By automating BOLA detection at scale, we will show promising results in identifying these vulnerabilities in open-source projects.
BOLA is a widespread and potentially critical vulnerability in modern APIs and web applications. While manually exploiting BOLA vulnerabilities is usually straightforward, automatically identifying new BOLAs is challenging for the following reasons:
The complexities of applicatio
Unit42
AI Tool Identifies BOLA Vulnerabilities in Easy!Appointments
blogs_unit42·2024-07-25·CVSS 7.7
CVE-2023-3285 [HIGH] AI Tool Identifies BOLA Vulnerabilities in Easy!Appointments
Threat Research Center
Threat Research
Vulnerabilities
## AI Tool Identifies BOLA Vulnerabilities in Easy!Appointments
Ravid Mazon
Jay Chen
Published: July 25, 2024
Threat Research
Vulnerabilities
API attacks
BOLA
CVE-2023-3285
CVE-2023-3290
CVE-2023-38047
CVE-2023-38055
Easy!Appointments
## Executive Summary
Palo Alto Networks has been actively researching and developing security capabilities using AI . In an effort to audit web applications for Broken Object-Level Authorization (BOLA) vulnerabilities, Unit 42 researchers developed an automated BOLA detection tool leveraging GenAI.
In 2023, we used our tool to test an open-source project, Easy!Appointments , and found 15 BOLA vulnerabilities. We notified the vendor, who has since patched the vulnerabilities. The numb
Unit42
AI Tool Identifies BOLA Vulnerabilities in Easy!Appointments
blogs_unit42·2024-07-25·CVSS 7.7
[HIGH] AI Tool Identifies BOLA Vulnerabilities in Easy!Appointments
## Executive Summary
Palo Alto Networks has been actively researching and developing security capabilities using AI. In an effort to audit web applications for Broken Object-Level Authorization (BOLA) vulnerabilities, Unit 42 researchers developed an automated BOLA detection tool leveraging GenAI.
In 2023, we used our tool to test an open-source project, Easy!Appointments, and found 15 BOLA vulnerabilities. We notified the vendor, who has since patched the vulnerabilities. The number of issues we found highlights the prevalence of BOLA vulnerabilities in API applications and underscores the importance of continuously scrutinizing software for these potentially severe issues.
Easy!Appointments is a popular tool used for scheduling and managing appointments, as well as synchronizing data
Unit42
Exposing a New BOLA Vulnerability in Grafana
blogs_unit42·2024-03-27·CVSS 6.5
CVE-2024-1313 [MEDIUM] Exposing a New BOLA Vulnerability in Grafana
Threat Research Center
Threat Research
Vulnerabilities
## Exposing a New BOLA Vulnerability in Grafana
Ravid Mazon
Jay Chen
Published: March 27, 2024
Threat Research
Vulnerabilities
API
API attacks
BOLA
CVE-2024-1313
## Executive Summary
Unit 42 researchers have discovered a new Broken Object Level Authorization (BOLA) vulnerability that impacts Grafana versions from 9.5.0 before 9.5.18, from 10.0.0 before 10.0.13, from 10.1.0 before 10.1.9, from 10.2.0 before 10.2.6, from 10.3.0 before 10.3.5 . Grafana is a popular open-source data observability and visualization platform with over 20 million users worldwide and almost 60,000 stars on GitHub.
This vulnerability, assigned as CVE-2024-1313 with a CVSS score of 6.5 , allows low-privileged Grafana users to delete dashboard
Unit42
Exposing a New BOLA Vulnerability in Grafana
blogs_unit42·2024-03-27·CVSS 6.5
CVE-2024-1313 [MEDIUM] Exposing a New BOLA Vulnerability in Grafana
## Executive Summary
Unit 42 researchers have discovered a new Broken Object Level Authorization (BOLA) vulnerability that impacts Grafana versions from 9.5.0 before 9.5.18, from 10.0.0 before 10.0.13, from 10.1.0 before 10.1.9, from 10.2.0 before 10.2.6, from 10.3.0 before 10.3.5. Grafana is a popular open-source data observability and visualization platform with over 20 million users worldwide and almost 60,000 stars on GitHub.
This vulnerability, assigned as CVE-2024-1313 with a CVSS score of 6.5, allows low-privileged Grafana users to delete dashboard snapshots belonging to other organizations using the snapshot's keys, impacting the integrity of the system. Exploiting this vulnerability is relatively straightforward as it only requires knowledge of the snapshot's key, which is not c
2024-03-26
Published