Cherez0Ff

**Name of the Vulnerable Software and Affected Versions** Grafana Operator versions prior to 5.24.0 **Description** A path traversal and privilege escalation issue exists when loading dashboards and library panels using the jsonnet data templating language. Because the jsonnet expression is evaluated within the context of the operator manager pod, a malicious user with permissions to create Dashboard or LibraryPanel resources can obtain the Kubernetes service account token of the Grafana Operator manager. **Recommendations** Upgrade to version 5.24.0. As a temporary workaround, implement a ValidatingAdmissionPolicy to prevent the creation or modification of jsonnet based resources by denying operations on `grafanadashboards` and `grafanalibrarypanels` where the `jsonnetLib` field is present.