Access Control Bypass in Grafana Plugin by Grafana Labs
CVE-2024-6322

4.4MEDIUM

Key Information:

Vendor: Grafana
Status: Grafana; Grafana Enterprise
Vendor: CVE Published:; 20 August 2024

What is CVE-2024-6322?

An access control bypass vulnerability exists in the Grafana plugin, allowing unauthorized access to protected data sources through the ReqActions json field in plugin.json. If a user or service account has been granted access to any other data source, the ReqActions verification fails to restrict access to the specific data source appropriately. This requires that the account already has query access to the impacted data source, potentially exposing sensitive information or allowing unauthorized operations within Grafana.

Affected Version(s)

Grafana 11.1.0 < 11.1.1

Grafana 11.1.2 < 11.1.3

Grafana Enterprise 11.1.0 < 11.1.1

References

https://grafana.com/security/security-advisories/cve-2024...

CVSS V3.1

Score:

4.4

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 20, 2024

JSON