Medium severity5.4GHSA Advisory· Published Aug 20, 2024· Updated Apr 15, 2026
CVE-2024-6322
CVE-2024-6322
Description
Access control for plugin data sources protected by the ReqActions json field of the plugin.json is bypassed if the user or service account is granted associated access to any other data source, as the ReqActions check was not scoped to each specific datasource. The account must have prior query access to the impacted datasource.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/grafana/grafanaGo | >= 11.1.0, < 11.1.1 | 11.1.1 |
github.com/grafana/grafanaGo | >= 11.1.2, < 11.1.3 | 11.1.3 |
github.com/grafana/grafanaGo | >= 0.0.0-20240521130516-0072e4a92d89, < 0.0.0-20240725142242-c326d865c58b | 0.0.0-20240725142242-c326d865c58b |
github.com/grafana/grafanaGo | >= 1.9.2-0.20240521130516-0072e4a92d89, < 1.9.2-0.20240725142242-c326d865c58b | 1.9.2-0.20240725142242-c326d865c58b |
Affected products
14- osv-coords13 versionspkg:apk/chainguard/grafana-11.1pkg:apk/chainguard/grafana-11.1-oci-compatpkg:apk/chainguard/grafana-fips-11.6pkg:apk/chainguard/grafana-fips-12.2pkg:apk/chainguard/grafana-fips-12.3pkg:apk/chainguard/grafana-fips-12.4pkg:apk/chainguard/grafana-fips-13.0pkg:apk/chainguard/grafana-oci-compatpkg:apk/wolfi/grafana-11.1pkg:apk/wolfi/grafana-11.1-oci-compatpkg:apk/wolfi/grafana-oci-compatpkg:bitnami/grafanapkg:golang/github.com/grafana/grafana
< 11.1.3-r0+ 12 more
- (no CPE)range: < 11.1.3-r0
- (no CPE)range: < 11.1.3-r0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 11.1.3-r0
- (no CPE)range: < 11.1.3-r0
- (no CPE)range: < 11.1.3-r0
- (no CPE)range: < 11.1.3-r0
- (no CPE)range: >= 11.1.0, < 11.1.3
- (no CPE)range: >= 11.1.0, < 11.1.1
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-hh8p-374f-qgr5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-6322ghsaADVISORY
- github.com/grafana/grafana/commit/4cb3ba5d1a7ab8b9676034e89dada2fcde1766efghsaWEB
- github.com/grafana/grafana/commit/9cdba084a9100c6b11d32eef9d2bd53656c6964aghsaWEB
- grafana.com/security/security-advisories/cve-2024-6322ghsaWEB
- grafana.com/security/security-advisories/cve-2024-6322/nvd
News mentions
0No linked articles in our index yet.