Bug 2268486 (CVE-2024-1442)

Summary: CVE-2024-1442 grafana: Improper priviledge managent for users with data source permissions
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: amctagga, aoconnor, bniver, flucifre, gmeno, gparvin, lbainbri, mbenjamin, mhackett, njean, owatkins, pahickey, rhaigner, sipoyare, sostapov, vereddy
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: grafana 9.5.7, grafana 10.0.12, grafana 10.1.8, grafana 10.2.5, grafana 10.3.4 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Grafana, where setting the Grafana API Data Source UID to '*' Grants Unrestricted Access, grants a user the ability to set the UID to '*' via the Grafana API poses a severe security risk. This issue enables unauthorized access to read, query, edit, and delete all data sources within the organization. Such unrestricted access can lead to data breaches, manipulation, privacy violations, and compliance issues, emphasizing the critical importance of implementing stringent access controls and monitoring API usage.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2268487, 2268488, 2268489, 2268490, 2268491, 2268492    
Bug Blocks: 2268494    

Description Pedro Sampaio 2024-03-07 19:29:24 UTC 
A user with the permissions to create a data source can use Grafana API to create a data source with UID set to *.
Doing this will grant the user access to read, query, edit and delete all data sources within the organization.

References:

https://grafana.com/security/security-advisories/cve-2024-1442/
Comment 1 Pedro Sampaio 2024-03-07 19:29:36 UTC 
Created grafana tracking bugs for this issue:

Affects: fedora-all [bug 2268487]
Comment 4 errata-xmlrpc 2024-05-01 01:17:37 UTC 
This issue has been addressed in the following products:

  Red Hat Ceph Storage 6.1

Via RHSA-2024:2633 https://access.redhat.com/errata/RHSA-2024:2633