Access Control Bypass in Grafana Plugin by Grafana Labs

CVE-2024-6322

Summary

An access control bypass vulnerability exists in the Grafana plugin, allowing unauthorized access to protected data sources through the ReqActions json field in plugin.json. If a user or service account has been granted access to any other data source, the ReqActions verification fails to restrict access to the specific data source appropriately. This requires that the account already has query access to the impacted data source, potentially exposing sensitive information or allowing unauthorized operations within Grafana.

References