High severityNVD Advisory· Published Mar 7, 2024· Updated Nov 22, 2024
User with permissions to create a data source can CRUD all data sources
CVE-2024-1442
Description
A user with the permissions to create a data source can use Grafana API to create a data source with UID set to *. Doing this will grant the user access to read, query, edit and delete all data sources within the organization.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/grafana/grafanaGo | >= 8.5.0, < 9.5.7 | 9.5.7 |
github.com/grafana/grafanaGo | >= 10.0.0, < 10.0.12 | 10.0.12 |
github.com/grafana/grafanaGo | >= 10.1.0, < 10.1.8 | 10.1.8 |
github.com/grafana/grafanaGo | >= 10.2.0, < 10.2.5 | 10.2.5 |
github.com/grafana/grafanaGo | >= 10.3.0, < 10.3.4 | 10.3.4 |
Affected products
12- osv-coords11 versionspkg:apk/chainguard/grafanapkg:apk/chainguard/grafana-dashboardspkg:apk/chainguard/grafana-fips-11.6pkg:apk/chainguard/grafana-fips-12.2pkg:apk/chainguard/grafana-fips-12.3pkg:apk/chainguard/grafana-fips-12.4pkg:apk/chainguard/grafana-fips-13.0pkg:apk/chainguard/grafana-homepagepkg:apk/wolfi/grafanapkg:bitnami/grafanapkg:golang/github.com/grafana/grafana
< 10.4.0-r0+ 10 more
- (no CPE)range: < 10.4.0-r0
- (no CPE)range: < 10.4.0-r0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 10.4.0-r0
- (no CPE)range: < 10.4.0-r0
- (no CPE)range: >= 8.5.0, < 9.5.7
- (no CPE)range: >= 8.5.0, < 9.5.7
Patches
Vulnerability mechanics
References
5News mentions
0No linked articles in our index yet.