VYPR
High severityNVD Advisory· Published Mar 7, 2024· Updated Nov 22, 2024

User with permissions to create a data source can CRUD all data sources

CVE-2024-1442

Description

A user with the permissions to create a data source can use Grafana API to create a data source with UID set to *. Doing this will grant the user access to read, query, edit and delete all data sources within the organization.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/grafana/grafanaGo
>= 8.5.0, < 9.5.79.5.7
github.com/grafana/grafanaGo
>= 10.0.0, < 10.0.1210.0.12
github.com/grafana/grafanaGo
>= 10.1.0, < 10.1.810.1.8
github.com/grafana/grafanaGo
>= 10.2.0, < 10.2.510.2.5
github.com/grafana/grafanaGo
>= 10.3.0, < 10.3.410.3.4

Affected products

12

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.