10 results (0.012 seconds)

CVSS: 5.1EPSS: 0%CPEs: 5EXPL: 0

In Grafana, the wrong permission is applied to the alert rule write API endpoint, allowing users with permission to write external alert instances to also write alert rules. • https://grafana.com/security/security-advisories/cve-2024-8118 • CWE-653: Improper Isolation or Compartmentalization •

CVSS: 6.5EPSS: 0%CPEs: 5EXPL: 0

It is possible for a user in a different organization from the owner of a snapshot to bypass authorization and delete a snapshot by issuing a DELETE request to /api/snapshots/<key> using its view key. This functionality is intended to only be available to individuals with the permission to write/edit to the snapshot in question, but due to a bug in the authorization logic, deletion requests issued by an unprivileged user in a different organization than the snapshot owner are treated as authorized. Grafana Labs would like to thank Ravid Mazon and Jay Chen of Palo Alto Research for discovering and disclosing this vulnerability. This issue affects Grafana: from 9.5.0 before 9.5.18, from 10.0.0 before 10.0.13, from 10.1.0 before 10.1.9, from 10.2.0 before 10.2.6, from 10.3.0 before 10.3.5. Es posible que un usuario de una organización diferente al propietario de una instantánea omita la autorización y elimine una instantánea emitiendo una solicitud DELETE a /api/snapshots/ usando su clave de vista. Esta funcionalidad está destinada a estar disponible solo para personas con permiso para escribir/editar la instantánea en cuestión, pero debido a un error en la lógica de autorización, las solicitudes de eliminación emitidas por un usuario sin privilegios en una organización diferente a la del propietario de la instantánea se tratan. según lo autorizado. Grafana Labs desea agradecer a Ravid Mazon y Jay Chen de Palo Alto Research por descubrir y revelar esta vulnerabilidad. • https://grafana.com/security/security-advisories/cve-2024-1313 https://security.netapp.com/advisory/ntap-20240524-0008 https://access.redhat.com/security/cve/CVE-2024-1313 https://bugzilla.redhat.com/show_bug.cgi?id=2271903 • CWE-639: Authorization Bypass Through User-Controlled Key •

CVSS: 6.0EPSS: 0%CPEs: 5EXPL: 0

A user with the permissions to create a data source can use Grafana API to create a data source with UID set to *. Doing this will grant the user access to read, query, edit and delete all data sources within the organization. Un usuario con permisos para crear una fuente de datos puede usar Grafana API para crear una fuente de datos con UID configurado en *. Hacer esto le otorgará al usuario acceso para leer, consultar, editar y eliminar todas las fuentes de datos dentro de la organización. A flaw was found in Grafana, where setting the Grafana API Data Source UID to '*' Grants Unrestricted Access, grants a user the ability to set the UID to '*' via the Grafana API poses a severe security risk. This issue enables unauthorized access to read, query, edit, and delete all data sources within the organization. • https://grafana.com/security/security-advisories/cve-2024-1442 https://access.redhat.com/security/cve/CVE-2024-1442 https://bugzilla.redhat.com/show_bug.cgi?id=2268486 • CWE-269: Improper Privilege Management •

CVSS: 5.4EPSS: 0%CPEs: 10EXPL: 0

A user changing their email after signing up and verifying it can change it without verification in profile settings. The configuration option "verify_email_enabled" will only validate email only on sign up. Un usuario que cambia su correo electrónico después de registrarse y verificarlo puede cambiarlo sin verificación en la configuración del perfil. La opción de configuración "verify_email_enabled" solo validará el correo electrónico al registrarse. • https://github.com/grafana/bugbounty/security/advisories/GHSA-3hv4-r2fm-h27f https://grafana.com/security/security-advisories/cve-2023-6152 • CWE-863: Incorrect Authorization •

CVSS: 7.2EPSS: 0%CPEs: 4EXPL: 0

Grafana is an open-source platform for monitoring and observability. In Grafana Enterprise, Request security is a deny list that allows admins to configure Grafana in a way so that the instance doesn’t call specific hosts. However, the restriction can be bypassed used punycode encoding of the characters in the request address. Grafana es una plataforma de código abierto para monitorización y observabilidad. En Grafana Enterprise, la seguridad de solicitudes es una lista de denegación que permite a los administradores configurar Grafana de manera que la instancia no llame a hosts específicos. Sin embargo, la restricción se puede eludir utilizando la codificaciówn punycode de los caracteres en la dirección de solicitud. • https://grafana.com/security/security-advisories/cve-2023-4399 https://security.netapp.com/advisory/ntap-20231208-0003 • CWE-183: Permissive List of Allowed Inputs •