First published: Thu Mar 07 2024(Updated: )
A user with the permissions to create a data source can use Grafana API to create a data source with UID set to *. Doing this will grant the user access to read, query, edit and delete all data sources within the organization.
Credit: security@grafana.com security@grafana.com
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/grafana | <9.5.7 | 9.5.7 |
redhat/grafana | <10.0.12 | 10.0.12 |
redhat/grafana | <10.1.8 | 10.1.8 |
redhat/grafana | <10.2.5 | 10.2.5 |
redhat/grafana | <10.3.4 | 10.3.4 |
go/github.com/grafana/grafana | >=10.3.0<10.3.4 | 10.3.4 |
go/github.com/grafana/grafana | >=10.2.0<10.2.5 | 10.2.5 |
go/github.com/grafana/grafana | >=10.1.0<10.1.8 | 10.1.8 |
go/github.com/grafana/grafana | >=10.0.0<10.0.12 | 10.0.12 |
go/github.com/grafana/grafana | >=8.5.0<9.5.7 | 9.5.7 |
Grafana Labs Grafana OSS and Enterprise | >=8.5.0<9.5.7 | |
Grafana Labs Grafana OSS and Enterprise | >=10.0.0<10.0.12 | |
Grafana Labs Grafana OSS and Enterprise | >=10.1.0<10.1.8 | |
Grafana Labs Grafana OSS and Enterprise | >=10.2.0<10.2.5 | |
Grafana Labs Grafana OSS and Enterprise | >=10.3.0<10.3.4 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2024-1442 is classified as a high-severity vulnerability due to its potential to grant unauthorized access to all data sources within the organization.
To remediate CVE-2024-1442, update Grafana to version 10.3.4, 10.2.5, 10.1.8, or 10.0.12.
CVE-2024-1442 affects Grafana versions from 9.5.0 up to 10.3.4, including specific sub-versions noted in the vulnerability details.
Yes, an attacker with permissions to create a data source can exploit CVE-2024-1442 remotely via the Grafana API.
Exploitation of CVE-2024-1442 could allow unauthorized users to read, query, edit, and delete all data sources within the targeted Grafana organization.