Bug 2271903 (CVE-2024-1313)
Summary: | CVE-2024-1313 grafana: vulnerable to authorization bypass | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Patrick Del Bello <pdelbell> |
Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
Status: | NEW --- | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | amctagga, aoconnor, bniver, flucifre, gmeno, gparvin, lbainbri, mbenjamin, mhackett, njean, owatkins, pahickey, rhaigner, sipoyare, sostapov, vereddy |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | grafana 9.5.18, grafana 10.0.13, grafana 10.1.9, grafana 10.2.6, grafana 10.3.5 | Doc Type: | --- |
Doc Text: |
A vulnerability was found in Grafana. Due to an error in authorization logic, it is possible for an unprivileged user in a different organization other than the snapshot owner to perform unauthorized actions such as deleting it using a view key.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | Type: | --- | |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2271904, 2271905, 2271906, 2271907, 2271908, 2271909 | ||
Bug Blocks: | 2271902 |
Description
Patrick Del Bello
2024-03-27 17:29:03 UTC
Created grafana tracking bugs for this issue: Affects: fedora-all [bug 2271904] Created grafana-pcp tracking bugs for this issue: Affects: fedora-all [bug 2271908] This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:2568 https://access.redhat.com/errata/RHSA-2024:2568 |