Bug 2271903 (CVE-2024-1313) - CVE-2024-1313 grafana: vulnerable to authorization bypass
Summary: CVE-2024-1313 grafana: vulnerable to authorization bypass
Keywords:
Status: NEW
Alias: CVE-2024-1313
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2271904 2271905 2271906 2271907 2271908 2271909
Blocks: 2271902
TreeView+ depends on / blocked
 
Reported: 2024-03-27 17:29 UTC by Patrick Del Bello
Modified: 2024-04-30 14:40 UTC (History)
16 users (show)

Fixed In Version: grafana 9.5.18, grafana 10.0.13, grafana 10.1.9, grafana 10.2.6, grafana 10.3.5
Doc Type: ---
Doc Text:
A vulnerability was found in Grafana. Due to an error in authorization logic, it is possible for an unprivileged user in a different organization other than the snapshot owner to perform unauthorized actions such as deleting it using a view key.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2024:2568 0 None None None 2024-04-30 14:40:37 UTC

Description Patrick Del Bello 2024-03-27 17:29:03 UTC 
It is possible for a user in a different organization from the owner of a snapshot to bypass authorization and delete a snapshot by issuing a DELETE request to /api/snapshots/<key> using its view key. This functionality is intended to only be available to individuals with the permission to write/edit to the snapshot in question, but due to a bug in the authorization logic, deletion requests issued by an unprivileged user in a different organization than the snapshot owner are treated as authorized.

Grafana Labs would like to thank Ravid Mazon and Jay Chen of Palo 
Alto Research for discovering and disclosing this vulnerability.

This issue affects Grafana: from 9.5.0 before 9.5.18, from 10.0.0 before 10.0.13, from 10.1.0 before 10.1.9, from 10.2.0 before 10.2.6, from 10.3.0 before 10.3.5.

https://grafana.com/security/security-advisories/cve-2024-1313/
Comment 1 Patrick Del Bello 2024-03-27 17:32:28 UTC 
Created grafana tracking bugs for this issue:

Affects: fedora-all [bug 2271904]


Created grafana-pcp tracking bugs for this issue:

Affects: fedora-all [bug 2271908]
Comment 3 errata-xmlrpc 2024-04-30 14:40:36 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2568 https://access.redhat.com/errata/RHSA-2024:2568
Note You need to log in before you can comment on or make changes to this bug.