// For flags

CVE-2024-1442

User with permissions to create a data source can CRUD all data sources

Severity Score

6.0
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track
*SSVC
Descriptions

A user with the permissions to create a data source can use Grafana API to create a data source with UID set to *.
Doing this will grant the user access to read, query, edit and delete all data sources within the organization.

Un usuario con permisos para crear una fuente de datos puede usar Grafana API para crear una fuente de datos con UID configurado en *. Hacer esto le otorgará al usuario acceso para leer, consultar, editar y eliminar todas las fuentes de datos dentro de la organización.

A flaw was found in Grafana, where setting the Grafana API Data Source UID to '*' Grants Unrestricted Access, grants a user the ability to set the UID to '*' via the Grafana API poses a severe security risk. This issue enables unauthorized access to read, query, edit, and delete all data sources within the organization. Such unrestricted access can lead to data breaches, manipulation, privacy violations, and compliance issues, emphasizing the critical importance of implementing stringent access controls and monitoring API usage.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
Low
* Common Vulnerability Scoring System
SSVC
  • Decision:Track
Exploitation
None
Automatable
No
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2024-02-12 CVE Reserved
  • 2024-03-07 CVE Published
  • 2024-03-08 EPSS Updated
  • 2024-11-22 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-269: Improper Privilege Management
CAPEC
  • CAPEC-233: Privilege Escalation
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Grafana
Search vendor "Grafana"
Grafana
Search vendor "Grafana" for product "Grafana"
>= 8.5.0 < 9.5.7
Search vendor "Grafana" for product "Grafana" and version " >= 8.5.0 < 9.5.7"
en
Affected
Grafana
Search vendor "Grafana"
Grafana
Search vendor "Grafana" for product "Grafana"
>= 10.0.0 < 10.0.12
Search vendor "Grafana" for product "Grafana" and version " >= 10.0.0 < 10.0.12"
en
Affected
Grafana
Search vendor "Grafana"
Grafana
Search vendor "Grafana" for product "Grafana"
>= 10.1.0 < 10.1.8
Search vendor "Grafana" for product "Grafana" and version " >= 10.1.0 < 10.1.8"
en
Affected
Grafana
Search vendor "Grafana"
Grafana
Search vendor "Grafana" for product "Grafana"
>= 10.2.0 < 10.2.5
Search vendor "Grafana" for product "Grafana" and version " >= 10.2.0 < 10.2.5"
en
Affected
Grafana
Search vendor "Grafana"
Grafana
Search vendor "Grafana" for product "Grafana"
>= 10.3.0 < 10.3.4
Search vendor "Grafana" for product "Grafana" and version " >= 10.3.0 < 10.3.4"
en
Affected