CVE-2024-1313Authorization Bypass Through User-Controlled Key in Grafana

CWE-639Authorization Bypass Through User-Controlled KeyCWE-20Improper Input Validation10 documents6 sources
Severity
6.5MEDIUMNVD
EPSS
0.0%
top 90.97%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
GrafanaGithub.com Grafana Grafana
Timeline
PublishedMar 26
Latest updateJun 5

Description

It is possible for a user in a different organization from the owner of a snapshot to bypass authorization and delete a snapshot by issuing a DELETE request to /api/snapshots/ using its view key. This functionality is intended to only be available to individuals with the permission to write/edit to the snapshot in question, but due to a bug in the authorization logic, deletion requests issued by an unprivileged user in a different organization than the snapshot owner are treated as authorized.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

CVEListV5grafana/grafana9.5.09.5.18+4
Gogithub.com/grafana_grafana9.5.09.5.18+4

🔴Vulnerability Details

5
OSV
Grafana: Users outside an organization can delete a snapshot with its key in github.com/grafana/grafana2024-06-05
OSV
Grafana: Users outside an organization can delete a snapshot with its key2024-04-05
GHSA
Grafana: Users outside an organization can delete a snapshot with its key2024-04-05
CVEList
Users outside an organization can delete a snapshot with its key2024-03-26
OSV
CVE-2024-1313: It is possible for a user in a different organization from the owner of a snapshot to bypass authorization and delete a snapshot by issuing a DELETE r2024-03-26

📋Vendor Advisories

1
Red Hat
grafana: vulnerable to authorization bypass2024-03-26

🕵️Threat Intelligence

2
Unit42
Exposing a New BOLA Vulnerability in Grafana2024-03-27
Unit42
Exposing a New BOLA Vulnerability in Grafana2024-03-27
CVE-2024-1313 — Grafana vulnerability | cvebase