CVE-2024-1442
User with permissions to create a data source can CRUD all data sources
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
A user with the permissions to create a data source can use Grafana API to create a data source with UID set to *.
Doing this will grant the user access to read, query, edit and delete all data sources within the organization.
Un usuario con permisos para crear una fuente de datos puede usar Grafana API para crear una fuente de datos con UID configurado en *. Hacer esto le otorgará al usuario acceso para leer, consultar, editar y eliminar todas las fuentes de datos dentro de la organización.
A flaw was found in Grafana, where setting the Grafana API Data Source UID to '*' Grants Unrestricted Access, grants a user the ability to set the UID to '*' via the Grafana API poses a severe security risk. This issue enables unauthorized access to read, query, edit, and delete all data sources within the organization. Such unrestricted access can lead to data breaches, manipulation, privacy violations, and compliance issues, emphasizing the critical importance of implementing stringent access controls and monitoring API usage.
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2024-02-12 CVE Reserved
- 2024-03-07 CVE Published
- 2024-03-08 EPSS Updated
- 2024-11-22 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-269: Improper Privilege Management
CAPEC
- CAPEC-233: Privilege Escalation
References (3)
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://access.redhat.com/security/cve/CVE-2024-1442 | 2024-11-06 | |
https://bugzilla.redhat.com/show_bug.cgi?id=2268486 | 2024-11-06 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Grafana Search vendor "Grafana" | Grafana Search vendor "Grafana" for product "Grafana" | >= 8.5.0 < 9.5.7 Search vendor "Grafana" for product "Grafana" and version " >= 8.5.0 < 9.5.7" | en |
Affected
| ||||||
Grafana Search vendor "Grafana" | Grafana Search vendor "Grafana" for product "Grafana" | >= 10.0.0 < 10.0.12 Search vendor "Grafana" for product "Grafana" and version " >= 10.0.0 < 10.0.12" | en |
Affected
| ||||||
Grafana Search vendor "Grafana" | Grafana Search vendor "Grafana" for product "Grafana" | >= 10.1.0 < 10.1.8 Search vendor "Grafana" for product "Grafana" and version " >= 10.1.0 < 10.1.8" | en |
Affected
| ||||||
Grafana Search vendor "Grafana" | Grafana Search vendor "Grafana" for product "Grafana" | >= 10.2.0 < 10.2.5 Search vendor "Grafana" for product "Grafana" and version " >= 10.2.0 < 10.2.5" | en |
Affected
| ||||||
Grafana Search vendor "Grafana" | Grafana Search vendor "Grafana" for product "Grafana" | >= 10.3.0 < 10.3.4 Search vendor "Grafana" for product "Grafana" and version " >= 10.3.0 < 10.3.4" | en |
Affected
|