CVE-2024-1442
published 2024-03-07CVE-2024-1442: A user with the permissions to create a data source can use Grafana API to create a data source with UID set to *. Doing this will grant the user access to…
PriorityP353high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.80%
52.0th percentile
A user with the permissions to create a data source can use Grafana API to create a data source with UID set to *.
Doing this will grant the user access to read, query, edit and delete all data sources within the organization.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | grafana_grafana | >= 10.0.0 < 10.0.12 | 10.0.12 |
| github.com | grafana_grafana | >= 10.1.0 < 10.1.8 | 10.1.8 |
| github.com | grafana_grafana | >= 10.2.0 < 10.2.5 | 10.2.5 |
| github.com | grafana_grafana | >= 10.3.0 < 10.3.4 | 10.3.4 |
| github.com | grafana_grafana | >= 8.5.0 < 9.5.7 | 9.5.7 |
| grafana | grafana | >= 10.0.0 < 10.0.12 | 10.0.12 |
| grafana | grafana | >= 10.1.0 < 10.1.8 | 10.1.8 |
| grafana | grafana | >= 10.2.0 < 10.2.5 | 10.2.5 |
| grafana | grafana | >= 10.3.0 < 10.3.4 | 10.3.4 |
| grafana | grafana | >= 8.5.0 < 9.5.7 | 9.5.7 |
| linux | linux_kernel | >= 0 < 6.1.119-1 | 6.1.119-1 |
| linux | linux_kernel | >= 0 < 6.11.7-1 | 6.11.7-1 |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv8.8HIGH
vendor_oracle6.0MEDIUM
vendor_redhat6.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2024-50228: In the Linux kernel, the following vulnerability has been resolved:
mm: shmem: fix data-race in shmem_getattr()
I got the following KCSAN report dur
osv·2024-11-09
CVE-2024-50228 CVE-2024-50228: In the Linux kernel, the following vulnerability has been resolved:
mm: shmem: fix data-race in shmem_getattr()
I got the following KCSAN report dur
In the Linux kernel, the following vulnerability has been resolved:
mm: shmem: fix data-race in shmem_getattr()
I got the following KCSAN report during syzbot testing:
BUG: KCSAN: data-race in generic_fillattr / inode_set_ctime_current
write to 0xffff888102eb3260 of 4 bytes by task 6565 on cpu 1:
inode_set_ctime_to_ts include/linux/fs.h:1638 [inline]
inode_set_ctime_current+0x169/0x1d0 fs/inode.c:2626
shmem_mknod+0x117/0x180 mm/shmem.c:3443
shmem_create+0x34/0x40 mm/shmem.c:3497
lookup_open fs/namei.c:3578 [inline]
open_last_lookups fs/namei.c:3647 [inline]
path_openat+0xdbc/0x1f00 fs/namei.c:3883
do_filp_open+0xf7/0x200 fs/namei.c:3913
do_sys_openat2+0xab/0x120 fs/open.c:1416
do_sys_open fs/open.c:1431 [inline]
__do_sys_openat fs/open.c:1447 [inline]
__se_sys_openat fs/open.c:1442 [in
OSV
Grafana's users with permissions to create a data source can CRUD all data sources in github.com/grafana/grafana
osv·2024-06-05
CVE-2024-1442 Grafana's users with permissions to create a data source can CRUD all data sources in github.com/grafana/grafana
Grafana's users with permissions to create a data source can CRUD all data sources in github.com/grafana/grafana
Grafana's users with permissions to create a data source can CRUD all data sources in github.com/grafana/grafana.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affected modules and versions are: github.com/grafana/grafana from v8.5.0 before v9.5.7, from v10.0.0 before v10.0.12, from v10.1.0 before v10.1.8, from v10.2.0 before v10.2.5, from v10.3.0 before v10.3.4.
GHSA
Grafana's users with permissions to create a data source can CRUD all data sources
ghsa·2024-03-07
CVE-2024-1442 [HIGH] CWE-269 Grafana's users with permissions to create a data source can CRUD all data sources
Grafana's users with permissions to create a data source can CRUD all data sources
A user with the permissions to create a data source can use Grafana API to create a data source with UID set to *.
Doing this will grant the user access to read, query, edit and delete all data sources within the organization.
OSV
CVE-2024-1442: A user with the permissions to create a data source can use Grafana API to create a data source with UID set to *
osv·2024-03-07·CVSS 8.8
CVE-2024-1442 [HIGH] CVE-2024-1442: A user with the permissions to create a data source can use Grafana API to create a data source with UID set to *
A user with the permissions to create a data source can use Grafana API to create a data source with UID set to *. Doing this will grant the user access to read, query, edit and delete all data sources within the organization.
OSV
Grafana's users with permissions to create a data source can CRUD all data sources
osv·2024-03-07
CVE-2024-1442 [HIGH] Grafana's users with permissions to create a data source can CRUD all data sources
Grafana's users with permissions to create a data source can CRUD all data sources
A user with the permissions to create a data source can use Grafana API to create a data source with UID set to *.
Doing this will grant the user access to read, query, edit and delete all data sources within the organization.
Oracle
Oracle Oracle Communications Applications Risk Matrix: Core (Grafana) — CVE-2024-1442
vendor_oracle·2025-01-15·CVSS 6.0
CVE-2024-1442 [MEDIUM] Oracle Oracle Communications Applications Risk Matrix: Core (Grafana) — CVE-2024-1442
Oracle Oracle Communications Applications Risk Matrix: Core (Grafana) vulnerability
CVE: CVE-2024-1442
CVSS: 6.0
Protocol: HTTP
Remote exploit: No
Affected versions: Network
Advisory: cpujan2025 (JAN 2025)
Red Hat
grafana: Improper priviledge managent for users with data source permissions
vendor_redhat·2024-03-07·CVSS 6.0
CVE-2024-1442 [MEDIUM] CWE-269 grafana: Improper priviledge managent for users with data source permissions
grafana: Improper priviledge managent for users with data source permissions
A user with the permissions to create a data source can use Grafana API to create a data source with UID set to *.
Doing this will grant the user access to read, query, edit and delete all data sources within the organization.
A flaw was found in Grafana, where setting the Grafana API Data Source UID to '*' Grants Unrestricted Access, grants a user the ability to set the UID to '*' via the Grafana API poses a severe security risk. This issue enables unauthorized access to read, query, edit, and delete all data sources within the organization. Such unrestricted access can lead to data breaches, manipulation, privacy violations, and compliance issues, emphasizing the critical importance of implementing stringent a
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-03-07
Published