PT-2024-3766 · Grafana+6 · Grafana+6

Jay Chen

+1

·

Published

2024-03-26

·

Updated

2024-08-20

·

CVE-2024-1313

CVSS v4.0

7.1

High

VectorAV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions Grafana versions 9.5.0 through 9.5.17 Grafana versions 10.0.0 through 10.0.12 Grafana versions 10.1.0 through 10.1.8 Grafana versions 10.2.0 through 10.2.5 Grafana versions 10.3.0 through 10.3.4
Description The issue is related to a Broken Object-Level Authorization (BOLA) vulnerability, which allows low-privileged users to delete dashboard snapshots belonging to other organizations using the snapshot's key. This can be done by issuing a DELETE request to the /api/snapshots/<key> endpoint. The vulnerability is caused by a bug in the authorization logic, which treats deletion requests from unprivileged users in different organizations as authorized.
Technical details about exploitation include:
  • API Endpoint: /api/snapshots/<key>
  • Vulnerable Parameter or Variable: key
  • The attacker must know the key of a snapshot to exploit this vulnerability. The key can be discovered in various ways, such as being displayed in plain text in the URL of a snapshot or being guessed through brute-force attacks due to a lack of complexity requirements.
Recommendations To resolve the issue for each affected version, update to the respective fixed version or later:
  • For versions 9.5.0 through 9.5.17, update to version 9.5.18 or later.
  • For versions 10.0.0 through 10.0.12, update to version 10.0.13 or later.
  • For versions 10.1.0 through 10.1.8, update to version 10.1.9 or later.
  • For versions 10.2.0 through 10.2.5, update to version 10.2.6 or later.
  • For versions 10.3.0 through 10.3.4, update to version 10.3.5 or later. As a temporary workaround, consider restricting access to the /api/snapshots/<key> endpoint to minimize the risk of exploitation.

Fix

IDOR

Weakness Enumeration

CWE-639

Related Identifiers

ALSA-2024:2568
ALSA-2024:3265
BDU:2024-04116
BIT-GRAFANA-2024-1313
CESA-2024_3265
CVE-2024-1313
GHSA-67RV-QPW2-6QRR
GHSA-MH7P-8M2F-QRM6
GO-2024-2697
INFSA-2024_2568
INFSA-2024_3265
OPENSUSE-SU-2024:13831-1
OPENSUSE-SU-2024_1530-2
RHSA-2024:2568
RHSA-2024:3265
RHSA-2024_2568
RHSA-2024_3265
RLSA-2024:2568
RLSA-2024:3265
SUSE-SU-2024:1508-1
SUSE-SU-2024:1509-1
SUSE-SU-2024:1530-1
SUSE-SU-2024:1530-2
SUSE-SU-2024:1814-1
SUSE-SU-2024:1815-1

Affected Products

Almalinux
Centos
Grafana
Red Hat
Red Os
Rocky Linux
Suse