CVE-2024-9476

Privilege escalation vulnerability for Organizations in Grafana

Severity Score

5.1

*CVSS v4

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

A vulnerability in Grafana Labs Grafana OSS and Enterprise allows Privilege Escalation allows users to gain access to resources from other organizations within the same Grafana instance via the Grafana Cloud Migration Assistant.This vulnerability will only affect users who utilize the Organizations feature to isolate resources on their Grafana instance.

*Credits: N/A

CVSS Scores

Grafana Labsv4 5.1

Attack Vector

Local

Attack Complexity

Low

Attack Requirements

None

Privileges Required

High

User Interaction

Active

System

Vulnerable | Subsequent

Confidentiality

High

None

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-10-03 CVE Reserved
2024-11-13 CVE Published
2024-11-14 EPSS Updated
2024-11-21 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-266: Incorrect Privilege Assignment

CAPEC

CAPEC-233: Privilege Escalation

References (2)

URL	Tag	Source
https://grafana.com/blog/2024/11/12/grafana-security-release-medium-severity-security-fix-for-cve-2024-9476

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://grafana.com/security/security-advisories/cve-2024-9476	2024-11-13

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Grafana Labs Search vendor "Grafana Labs"		Grafana OSS And Enterprise Search vendor "Grafana Labs" for product "Grafana OSS And Enterprise"				>= 11.3.0 < 11.3.0+security-01 Search vendor "Grafana Labs" for product "Grafana OSS And Enterprise" and version " >= 11.3.0 < 11.3.0+security-01"		en		Affected
Grafana Labs Search vendor "Grafana Labs"		Grafana OSS And Enterprise Search vendor "Grafana Labs" for product "Grafana OSS And Enterprise"				>= 11.2.0 < 11.2.3+security-01 Search vendor "Grafana Labs" for product "Grafana OSS And Enterprise" and version " >= 11.2.0 < 11.2.3+security-01"		en		Affected