CVE-2024-1442 — Improper Privilege Management in Grafana

CWE-269 — Improper Privilege Management9 documents6 sources

Severity

8.8HIGHNVD

CNA6.0

EPSS

0.2%

top 56.58%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Grafana Github.com Grafana Grafana

Timeline

PublishedMar 7

Latest updateJan 15

Description

A user with the permissions to create a data source can use Grafana API to create a data source with UID set to *. Doing this will grant the user access to read, query, edit and delete all data sources within the organization.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

▶CVEListV5grafana/grafana8.5.0 — 9.5.7+4

▶NVDgrafana/grafana8.5.0 — 9.5.7+4

▶Gogithub.com/grafana_grafana8.5.0 — 9.5.7+4

🔴Vulnerability Details

OSV

CVE-2024-50228: In the Linux kernel, the following vulnerability has been resolved: mm: shmem: fix data-race in shmem_getattr() I got the following KCSAN report dur↗2024-11-09

▶

OSV

Grafana's users with permissions to create a data source can CRUD all data sources in github.com/grafana/grafana↗2024-06-05

▶

GHSA

Grafana's users with permissions to create a data source can CRUD all data sources↗2024-03-07

▶

OSV

CVE-2024-1442: A user with the permissions to create a data source can use Grafana API to create a data source with UID set to *↗2024-03-07

▶

CVEList

User with permissions to create a data source can CRUD all data sources↗2024-03-07

▶

📋Vendor Advisories

Oracle

Oracle Oracle Communications Applications Risk Matrix: Core (Grafana) — CVE-2024-1442↗2025-01-15

▶

Red Hat

grafana: Improper priviledge managent for users with data source permissions↗2024-03-07

▶