ALT-PU-2024-17179-3

BDU:2024-01927

MEDIUM6.0

Уязвимость реализации прикладного программного интерфейса веб-инструмента представления данных Grafana, позволяющая нарушителю получить несанкционированный доступ к ограниченным функциям

Published: 2024-03-13Modified: 2025-02-07

CVSS 3.xMEDIUM 6.0

CVSS:3.x/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L

CVSS 2.0HIGH 8.0

CVSS:2.0/AV:N/AC:L/Au:S/C:C/I:P/A:P

References

CVE-2024-1442

BDU:2024-07696

MEDIUM4.1

Уязвимость реализации прикладного программного интерфейса Endpoint платформы для мониторинга и наблюдения Grafana, позволяющая нарушителю повысить свои привилегии

Published: 2024-10-03Modified: 2025-02-07

CVSS 3.xMEDIUM 4.1

CVSS:3.x/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L

CVSS 2.0MEDIUM 4.6

CVSS:2.0/AV:N/AC:H/Au:S/C:P/I:P/A:P

References

CVE-2024-8118

CVE-2024-1442

HIGH8.8

A user with the permissions to create a data source can use Grafana API to create a data source with UID set to *. Doing this will grant the user access to read, query, edit and delete all data sources within the organization.

Published: 2024-03-07Modified: 2025-03-11

CVSS 3.xHIGH 8.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

CVE-2024-8118

MEDIUM5.1

In Grafana, the wrong permission is applied to the alert rule write API endpoint, allowing users with permission to write external alert instances to also write alert rules.

Published: 2024-09-26Modified: 2026-04-15

CVSS 4.0MEDIUM 5.1

CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

References

https://grafana.com/security/security-advisories/cve-2024-8118/

GHSA-5mxf-42f5-j782

HIGH7.0

Grafana's users with permissions to create a data source can CRUD all data sources

Published: 2024-03-07Modified: 2024-11-22

CVSS 3.xHIGH 7.0

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L

CVSS 4.0HIGH 7.0

CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N

References

Package update grafana in branch p10

Closed issues (5)

Уязвимость реализации прикладного программного интерфейса Endpoint платформы для мониторинга и наблюдения Grafana, позволяющая нарушителю повысить свои привилегии

A user with the permissions to create a data source can use Grafana API to create a data source with UID set to *. Doing this will grant the user access to read, query, edit and delete all data sources within the organization.

In Grafana, the wrong permission is applied to the alert rule write API endpoint, allowing users with permission to write external alert instances to also write alert rules.

Grafana's users with permissions to create a data source can CRUD all data sources