High severityNVD Advisory· Published Mar 7, 2024· Updated Nov 22, 2024

User with permissions to create a data source can CRUD all data sources

CVE-2024-1442

Description

A user with the permissions to create a data source can use Grafana API to create a data source with UID set to *. Doing this will grant the user access to read, query, edit and delete all data sources within the organization.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
github.com/grafana/grafanaGo	>= 8.5.0, < 9.5.7	9.5.7
github.com/grafana/grafanaGo	>= 10.0.0, < 10.0.12	10.0.12
github.com/grafana/grafanaGo	>= 10.1.0, < 10.1.8	10.1.8
github.com/grafana/grafanaGo	>= 10.2.0, < 10.2.5	10.2.5
github.com/grafana/grafanaGo	>= 10.3.0, < 10.3.4	10.3.4

Affected products

Grafana/Grafanav5
Range: 8.5.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-5mxf-42f5-j782ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2024-1442ghsaADVISORY
grafana.com/security/security-advisories/cve-2024-1442ghsaWEB
security.netapp.com/advisory/ntap-20241122-0007ghsaWEB
grafana.com/security/security-advisories/cve-2024-1442/mitre

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000