CVSS: 6.5EPSS: 0%CPEs: 5EXPL: 0CVE-2024-1313 – Users outside an organization can delete a snapshot with its key
https://notcve.org/view.php?id=CVE-2024-1313
It is possible for a user in a different organization from the owner of a snapshot to bypass authorization and delete a snapshot by issuing a DELETE request to /api/snapshots/<key> using its view key. This functionality is intended to only be available to individuals with the permission to write/edit to the snapshot in question, but due to a bug in the authorization logic, deletion requests issued by an unprivileged user in a different organization than the snapshot owner are treated as authorized. Grafana Labs would like to thank Ravid Mazon and Jay Chen of Palo Alto Research for discovering and disclosing this vulnerability. This issue affects Grafana: from 9.5.0 before 9.5.18, from 10.0.0 before 10.0.13, from 10.1.0 before 10.1.9, from 10.2.0 before 10.2.6, from 10.3.0 before 10.3.5. Es posible que un usuario de una organización diferente al propietario de una instantánea omita la autorización y elimine una instantánea emitiendo una solicitud DELETE a /api/snapshots/ usando su clave de vista. Esta funcionalidad está destinada a estar disponible solo para personas con permiso para escribir/editar la instantánea en cuestión, pero debido a un error en la lógica de autorización, las solicitudes de eliminación emitidas por un usuario sin privilegios en una organización diferente a la del propietario de la instantánea se tratan. según lo autorizado. Grafana Labs desea agradecer a Ravid Mazon y Jay Chen de Palo Alto Research por descubrir y revelar esta vulnerabilidad. • https://grafana.com/security/security-advisories/cve-2024-1313 https://security.netapp.com/advisory/ntap-20240524-0008 https://access.redhat.com/security/cve/CVE-2024-1313 https://bugzilla.redhat.com/show_bug.cgi?id=2271903 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 6.0EPSS: 0%CPEs: 5EXPL: 0CVE-2024-1442 – User with permissions to create a data source can CRUD all data sources
https://notcve.org/view.php?id=CVE-2024-1442
A user with the permissions to create a data source can use Grafana API to create a data source with UID set to *. Doing this will grant the user access to read, query, edit and delete all data sources within the organization. Un usuario con permisos para crear una fuente de datos puede usar Grafana API para crear una fuente de datos con UID configurado en *. Hacer esto le otorgará al usuario acceso para leer, consultar, editar y eliminar todas las fuentes de datos dentro de la organización. A flaw was found in Grafana, where setting the Grafana API Data Source UID to '*' Grants Unrestricted Access, grants a user the ability to set the UID to '*' via the Grafana API poses a severe security risk. This issue enables unauthorized access to read, query, edit, and delete all data sources within the organization. • https://grafana.com/security/security-advisories/cve-2024-1442 https://access.redhat.com/security/cve/CVE-2024-1442 https://bugzilla.redhat.com/show_bug.cgi?id=2268486 • CWE-269: Improper Privilege Management •
CVSS: 5.4EPSS: 0%CPEs: 10EXPL: 0CVE-2023-6152
https://notcve.org/view.php?id=CVE-2023-6152
A user changing their email after signing up and verifying it can change it without verification in profile settings. The configuration option "verify_email_enabled" will only validate email only on sign up. Un usuario que cambia su correo electrónico después de registrarse y verificarlo puede cambiarlo sin verificación en la configuración del perfil. La opción de configuración "verify_email_enabled" solo validará el correo electrónico al registrarse. • https://github.com/grafana/bugbounty/security/advisories/GHSA-3hv4-r2fm-h27f https://grafana.com/security/security-advisories/cve-2023-6152 • CWE-863: Incorrect Authorization •
CVSS: 7.2EPSS: 0%CPEs: 4EXPL: 0CVE-2023-4399
https://notcve.org/view.php?id=CVE-2023-4399
Grafana is an open-source platform for monitoring and observability. In Grafana Enterprise, Request security is a deny list that allows admins to configure Grafana in a way so that the instance doesn’t call specific hosts. However, the restriction can be bypassed used punycode encoding of the characters in the request address. Grafana es una plataforma de código abierto para monitorización y observabilidad. En Grafana Enterprise, la seguridad de solicitudes es una lista de denegación que permite a los administradores configurar Grafana de manera que la instancia no llame a hosts específicos. Sin embargo, la restricción se puede eludir utilizando la codificaciówn punycode de los caracteres en la dirección de solicitud. • https://grafana.com/security/security-advisories/cve-2023-4399 https://security.netapp.com/advisory/ntap-20231208-0003 • CWE-183: Permissive List of Allowed Inputs •
CVSS: 7.2EPSS: 0%CPEs: 4EXPL: 0CVE-2023-4822 – grafana: incorrect assessment of permissions across organizations
https://notcve.org/view.php?id=CVE-2023-4822
Grafana is an open-source platform for monitoring and observability. The vulnerability impacts Grafana instances with several organizations, and allows a user with Organization Admin permissions in one organization to change the permissions associated with Organization Viewer, Organization Editor and Organization Admin roles in all organizations. It also allows an Organization Admin to assign or revoke any permissions that they have to any user globally. This means that any Organization Admin can elevate their own permissions in any organization that they are already a member of, or elevate or restrict the permissions of any other user. The vulnerability does not allow a user to become a member of an organization that they are not already a member of, or to add any other users to an organization that the current user is not a member of. Grafana es una plataforma de código abierto para monitorización y observabilidad. La vulnerabilidad afecta las instancias de Grafana con varias organizaciones y permite a un usuario con permisos de Organization Admin en una organización cambiar los permisos asociados con los roles de Organization Viewer, Organization Editor and Organization Admin en todas las organizaciones. También permite que un Organization Admin asigne o revoque cualquier permiso que tenga para cualquier usuario a nivel mundial. • https://grafana.com/security/security-advisories/cve-2023-4822 https://security.netapp.com/advisory/ntap-20231103-0008 https://access.redhat.com/security/cve/CVE-2023-4822 https://bugzilla.redhat.com/show_bug.cgi?id=2239726 • CWE-269: Improper Privilege Management •