Bug 2271903 (CVE-2024-1313)

Summary: CVE-2024-1313 grafana: vulnerable to authorization bypass
Product: [Other] Security Response Reporter: Patrick Del Bello <pdelbell>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: amctagga, aoconnor, bniver, flucifre, gmeno, gparvin, lbainbri, mbenjamin, mhackett, njean, owatkins, pahickey, rhaigner, sipoyare, sostapov, vereddy
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: grafana 9.5.18, grafana 10.0.13, grafana 10.1.9, grafana 10.2.6, grafana 10.3.5 Doc Type: ---
Doc Text:
A vulnerability was found in Grafana. Due to an error in authorization logic, it is possible for an unprivileged user in a different organization other than the snapshot owner to perform unauthorized actions such as deleting it using a view key.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2271904, 2271905, 2271906, 2271907, 2271908, 2271909    
Bug Blocks: 2271902    

Description Patrick Del Bello 2024-03-27 17:29:03 UTC 
It is possible for a user in a different organization from the owner of a snapshot to bypass authorization and delete a snapshot by issuing a DELETE request to /api/snapshots/<key> using its view key. This functionality is intended to only be available to individuals with the permission to write/edit to the snapshot in question, but due to a bug in the authorization logic, deletion requests issued by an unprivileged user in a different organization than the snapshot owner are treated as authorized.

Grafana Labs would like to thank Ravid Mazon and Jay Chen of Palo 
Alto Research for discovering and disclosing this vulnerability.

This issue affects Grafana: from 9.5.0 before 9.5.18, from 10.0.0 before 10.0.13, from 10.1.0 before 10.1.9, from 10.2.0 before 10.2.6, from 10.3.0 before 10.3.5.

https://grafana.com/security/security-advisories/cve-2024-1313/
Comment 1 Patrick Del Bello 2024-03-27 17:32:28 UTC 
Created grafana tracking bugs for this issue:

Affects: fedora-all [bug 2271904]


Created grafana-pcp tracking bugs for this issue:

Affects: fedora-all [bug 2271908]
Comment 3 errata-xmlrpc 2024-04-30 14:40:36 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2568 https://access.redhat.com/errata/RHSA-2024:2568