VYPR
Medium severity5.4GHSA Advisory· Published Aug 20, 2024· Updated Apr 15, 2026

CVE-2024-6322

CVE-2024-6322

Description

Access control for plugin data sources protected by the ReqActions json field of the plugin.json is bypassed if the user or service account is granted associated access to any other data source, as the ReqActions check was not scoped to each specific datasource. The account must have prior query access to the impacted datasource.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/grafana/grafanaGo
>= 11.1.0, < 11.1.111.1.1
github.com/grafana/grafanaGo
>= 11.1.2, < 11.1.311.1.3
github.com/grafana/grafanaGo
>= 0.0.0-20240521130516-0072e4a92d89, < 0.0.0-20240725142242-c326d865c58b0.0.0-20240725142242-c326d865c58b
github.com/grafana/grafanaGo
>= 1.9.2-0.20240521130516-0072e4a92d89, < 1.9.2-0.20240725142242-c326d865c58b1.9.2-0.20240725142242-c326d865c58b

Affected products

14

Patches

Vulnerability mechanics

References

6

News mentions

0

No linked articles in our index yet.