CVE-2024-6322 — Incorrect Privilege Assignment in Grafana

CWE-266 — Incorrect Privilege Assignment6 documents4 sources

Severity

5.4MEDIUMNVD

EPSS

0.0%

top 90.87%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Grafana Grafana Enterprise Github.com Grafana Grafana

Timeline

PublishedAug 20

Latest updateAug 22

Description

Access control for plugin data sources protected by the ReqActions json field of the plugin.json is bypassed if the user or service account is granted associated access to any other data source, as the ReqActions check was not scoped to each specific datasource. The account must have prior query access to the impacted datasource.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:LExploitability: 2.2 | Impact: 2.7

Affected Packages3 packages

▶CVEListV5grafana/grafana11.1.0 — 11.1.1+1

▶CVEListV5grafana/grafana_enterprise11.1.0 — 11.1.1+1

▶Gogithub.com/grafana_grafana11.1.0 — 11.1.1+3

🔴Vulnerability Details

OSV

Grafana plugin data sources vulnerable to access control bypass in github.com/grafana/grafana↗2024-08-22

▶

GHSA

Grafana plugin data sources vulnerable to access control bypass↗2024-08-20

▶

OSV

Grafana plugin data sources vulnerable to access control bypass↗2024-08-20

▶

OSV

CVE-2024-6322: Access control for plugin data sources protected by the ReqActions json field of the plugin↗2024-08-20

▶

CVEList

CVE-2024-6322: Access control for plugin data sources protected by the ReqActions json field of the plugin↗2024-08-20

▶