CVE-2024-1442

Name of the Vulnerable Software and Affected Versions Grafana versions prior to 9.5.7 Grafana versions 10.0.0 through 10.0.11 Grafana versions 10.1.0 through 10.1.7 Grafana versions 10.2.0 through 10.2.4 Grafana versions 10.3.0 through 10.3.3

Description The issue is related to insecure privilege management in the Grafana API. A user with permissions to create a data source can exploit this by creating a data source with the UID set to *, granting them access to read, query, edit, and delete all data sources within the organization. This can allow an attacker to gain unauthorized access to limited functions.

Recommendations For Grafana versions prior to 9.5.7, update to version 9.5.7 or later. For Grafana versions 10.0.0 through 10.0.11, update to version 10.0.12 or later. For Grafana versions 10.1.0 through 10.1.7, update to version 10.1.8 or later. For Grafana versions 10.2.0 through 10.2.4, update to version 10.2.5 or later. For Grafana versions 10.3.0 through 10.3.3, update to version 10.3.4 or later. As a temporary workaround, consider restricting access to the Grafana API to minimize the risk of exploitation. Avoid granting permissions to create data sources to users who should not have access to all data sources.