CVSS: 9.1EPSS: %CPEs: 1EXPL: 0CVE-2024-8986 – Information Leakage in grafana-plugin-sdk-go
https://notcve.org/view.php?id=CVE-2024-8986
The grafana plugin SDK bundles build metadata into the binaries it compiles; this metadata includes the repository URI for the plugin being built, as retrieved by running `git remote get-url origin`. If credentials are included in the repository URI (for instance, to allow for fetching of private dependencies), the final binary will contain the full URI, including said credentials. El SDK del complemento Grafana incluye metadatos de compilación en los binarios que compila; estos metadatos incluyen el URI del repositorio para el complemento que se está compilando, tal como se obtiene al ejecutar `git remote get-url origin`. Si se incluyen credenciales en el URI del repositorio (por ejemplo, para permitir la obtención de dependencias privadas), el binario final contendrá el URI completo, incluidas dichas credenciales. • https://grafana.com/security/security-advisories/cve-2024-8986 • CWE-522: Insufficiently Protected Credentials •
CVSS: 4.4EPSS: 0%CPEs: 4EXPL: 0CVE-2024-6322
https://notcve.org/view.php?id=CVE-2024-6322
Access control for plugin data sources protected by the ReqActions json field of the plugin.json is bypassed if the user or service account is granted associated access to any other data source, as the ReqActions check was not scoped to each specific datasource. The account must have prior query access to the impacted datasource. • https://grafana.com/security/security-advisories/cve-2024-6322 • CWE-266: Incorrect Privilege Assignment •
CVSS: 6.5EPSS: 0%CPEs: 5EXPL: 0CVE-2024-1313 – Users outside an organization can delete a snapshot with its key
https://notcve.org/view.php?id=CVE-2024-1313
It is possible for a user in a different organization from the owner of a snapshot to bypass authorization and delete a snapshot by issuing a DELETE request to /api/snapshots/<key> using its view key. This functionality is intended to only be available to individuals with the permission to write/edit to the snapshot in question, but due to a bug in the authorization logic, deletion requests issued by an unprivileged user in a different organization than the snapshot owner are treated as authorized. Grafana Labs would like to thank Ravid Mazon and Jay Chen of Palo Alto Research for discovering and disclosing this vulnerability. This issue affects Grafana: from 9.5.0 before 9.5.18, from 10.0.0 before 10.0.13, from 10.1.0 before 10.1.9, from 10.2.0 before 10.2.6, from 10.3.0 before 10.3.5. Es posible que un usuario de una organización diferente al propietario de una instantánea omita la autorización y elimine una instantánea emitiendo una solicitud DELETE a /api/snapshots/ usando su clave de vista. Esta funcionalidad está destinada a estar disponible solo para personas con permiso para escribir/editar la instantánea en cuestión, pero debido a un error en la lógica de autorización, las solicitudes de eliminación emitidas por un usuario sin privilegios en una organización diferente a la del propietario de la instantánea se tratan. según lo autorizado. Grafana Labs desea agradecer a Ravid Mazon y Jay Chen de Palo Alto Research por descubrir y revelar esta vulnerabilidad. • https://grafana.com/security/security-advisories/cve-2024-1313 https://security.netapp.com/advisory/ntap-20240524-0008 https://access.redhat.com/security/cve/CVE-2024-1313 https://bugzilla.redhat.com/show_bug.cgi?id=2271903 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 6.0EPSS: 0%CPEs: 5EXPL: 0CVE-2024-1442 – User with permissions to create a data source can CRUD all data sources
https://notcve.org/view.php?id=CVE-2024-1442
A user with the permissions to create a data source can use Grafana API to create a data source with UID set to *. Doing this will grant the user access to read, query, edit and delete all data sources within the organization. Un usuario con permisos para crear una fuente de datos puede usar Grafana API para crear una fuente de datos con UID configurado en *. Hacer esto le otorgará al usuario acceso para leer, consultar, editar y eliminar todas las fuentes de datos dentro de la organización. A flaw was found in Grafana, where setting the Grafana API Data Source UID to '*' Grants Unrestricted Access, grants a user the ability to set the UID to '*' via the Grafana API poses a severe security risk. This issue enables unauthorized access to read, query, edit, and delete all data sources within the organization. • https://grafana.com/security/security-advisories/cve-2024-1442 https://access.redhat.com/security/cve/CVE-2024-1442 https://bugzilla.redhat.com/show_bug.cgi?id=2268486 • CWE-269: Improper Privilege Management •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-5122 – SSRF in CSV Datasource Plugin
https://notcve.org/view.php?id=CVE-2023-5122
Grafana is an open-source platform for monitoring and observability. The CSV datasource plugin is a Grafana Labs maintained plugin for Grafana that allows for retrieving and processing CSV data from a remote endpoint configured by an administrator. If this plugin was configured to send requests to a bare host with no path (e.g. https://www.example.com/ https://www.example.com/` ), requests to an endpoint other than the one configured by the administrator could be triggered by a specially crafted request from any user, resulting in an SSRF vector. AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator Grafana es una plataforma de código abierto para monitoreo y observabilidad. • https://grafana.com/security/security-advisories/cve-2023-5122 https://security.netapp.com/advisory/ntap-20240503-0002 • CWE-918: Server-Side Request Forgery (SSRF) •