{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-1442", "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "state": "PUBLISHED", "assignerShortName": "GRAFANA", "dateReserved": "2024-02-12T12:21:26.806Z", "datePublished": "2024-03-07T17:45:43.993Z", "dateUpdated": "2024-08-01T18:40:21.181Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Grafana", "vendor": "Grafana", "versions": [{"lessThan": "9.5.7", "status": "affected", "version": "8.5.0", "versionType": "semver"}, {"lessThan": "10.0.12", "status": "affected", "version": "10.0.0", "versionType": "semver"}, {"lessThan": "10.1.8", "status": "affected", "version": "10.1.0", "versionType": "semver"}, {"lessThan": "10.2.5", "status": "affected", "version": "10.2.0", "versionType": "semver"}, {"lessThan": "10.3.4", "status": "affected", "version": "10.3.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": " A user with the permissions to create a data source can use Grafana API to create a data source with UID set to *.<br>Doing this will grant the user access to read, query, edit and delete all data sources within the organization.<br>"}], "value": " A user with the permissions to create a data source can use Grafana API to create a data source with UID set to *.\nDoing this will grant the user access to read, query, edit and delete all data sources within the organization.\n"}], "impacts": [{"capecId": "CAPEC-233", "descriptions": [{"lang": "en", "value": "CAPEC-233 Privilege Escalation"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-269", "description": "CWE-269", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "shortName": "GRAFANA", "dateUpdated": "2024-03-07T17:45:43.993Z"}, "references": [{"url": "https://grafana.com/security/security-advisories/cve-2024-1442/"}], "source": {"discovery": "INTERNAL"}, "title": "User with permissions to create a data source can CRUD all data sources", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-26T14:35:40.672183Z", "id": "CVE-2024-1442", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-26T14:35:58.049Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T18:40:21.181Z"}, "title": "CVE Program Container", "references": [{"url": "https://grafana.com/security/security-advisories/cve-2024-1442/", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://grafana.com/security/security-advisories/cve-2024-1442/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T18:40:21.181Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-1442", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-26T14:35:40.672183Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-26T14:35:55.777Z"}}], "cna": {"title": "User with permissions to create a data source can CRUD all data sources", "source": {"discovery": "INTERNAL"}, "impacts": [{"capecId": "CAPEC-233", "descriptions": [{"lang": "en", "value": "CAPEC-233 Privilege Escalation"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Grafana", "product": "Grafana", "versions": [{"status": "affected", "version": "8.5.0", "lessThan": "9.5.7", "versionType": "semver"}, {"status": "affected", "version": "10.0.0", "lessThan": "10.0.12", "versionType": "semver"}, {"status": "affected", "version": "10.1.0", "lessThan": "10.1.8", "versionType": "semver"}, {"status": "affected", "version": "10.2.0", "lessThan": "10.2.5", "versionType": "semver"}, {"status": "affected", "version": "10.3.0", "lessThan": "10.3.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://grafana.com/security/security-advisories/cve-2024-1442/"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": " A user with the permissions to create a data source can use Grafana API to create a data source with UID set to *.\nDoing this will grant the user access to read, query, edit and delete all data sources within the organization.\n", "supportingMedia": [{"type": "text/html", "value": " A user with the permissions to create a data source can use Grafana API to create a data source with UID set to *.<br>Doing this will grant the user access to read, query, edit and delete all data sources within the organization.<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-269", "description": "CWE-269"}]}], "providerMetadata": {"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "shortName": "GRAFANA", "dateUpdated": "2024-03-07T17:45:43.993Z"}}}, "cveMetadata": {"cveId": "CVE-2024-1442", "state": "PUBLISHED", "dateUpdated": "2024-08-01T18:40:21.181Z", "dateReserved": "2024-02-12T12:21:26.806Z", "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "datePublished": "2024-03-07T17:45:43.993Z", "assignerShortName": "GRAFANA"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": " A user with the permissions to create a data source can use Grafana API to create a data source with UID set to *.\nDoing this will grant the user access to read, query, edit and delete all data sources within the organization.\n"}, {"lang": "es", "value": "Un usuario con permisos para crear una fuente de datos puede usar Grafana API para crear una fuente de datos con UID configurado en *. Hacer esto le otorgar\u00e1 al usuario acceso para leer, consultar, editar y eliminar todas las fuentes de datos dentro de la organizaci\u00f3n."}], "id": "CVE-2024-1442", "lastModified": "2024-03-08T14:02:57.420", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 4.7, "source": "security@grafana.com", "type": "Secondary"}]}, "published": "2024-03-07T18:15:46.590", "references": [{"source": "security@grafana.com", "url": "https://grafana.com/security/security-advisories/cve-2024-1442/"}], "sourceIdentifier": "security@grafana.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-269"}], "source": "security@grafana.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2024:2633", "cpe": "cpe:/a:redhat:ceph_storage:6.1::el9", "package": "rhceph/rhceph-6-dashboard-rhel9:6-90", "product_name": "Red Hat Ceph Storage 6.1", "release_date": "2024-05-01T00:00:00Z"}], "bugzilla": {"description": "grafana: Improper priviledge managent for users with data source permissions", "id": "2268486", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2268486"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.0", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L", "status": "verified"}, "cwe": "CWE-269", "details": ["A user with the permissions to create a data source can use Grafana API to create a data source with UID set to *.\nDoing this will grant the user access to read, query, edit and delete all data sources within the organization.", "A flaw was found in Grafana, where setting the Grafana API Data Source UID to '*' Grants Unrestricted Access, grants a user the ability to set the UID to '*' via the Grafana API poses a severe security risk. This issue enables unauthorized access to read, query, edit, and delete all data sources within the organization. Such unrestricted access can lead to data breaches, manipulation, privacy violations, and compliance issues, emphasizing the critical importance of implementing stringent access controls and monitoring API usage."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-1442", "package_state": [{"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Affected", "package_name": "rhacm2/acm-grafana-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:ceph_storage:4", "fix_state": "Affected", "package_name": "rhceph/rhceph-4-dashboard-rhel8", "product_name": "Red Hat Ceph Storage 4"}, {"cpe": "cpe:/a:redhat:ceph_storage:5", "fix_state": "Affected", "package_name": "rhceph/rhceph-5-dashboard-rhel8", "product_name": "Red Hat Ceph Storage 5"}, {"cpe": "cpe:/a:redhat:ceph_storage:7", "fix_state": "Affected", "package_name": "rhceph/grafana-rhel9", "product_name": "Red Hat Ceph Storage 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Not affected", "package_name": "openshift3/grafana", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Affected", "package_name": "grafana", "product_name": "Red Hat Storage 3"}], "public_date": "2024-03-07T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-1442\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-1442\nhttps://github.com/advisories/GHSA-5mxf-42f5-j782"], "statement": "The issue of allowing users to set the UID to '*' via the Grafana API presents a moderate severity concern due to its potential impact on data integrity and security within the organization's Grafana instance. While the risk of unauthorized access and data manipulation is significant, its severity is tempered by the prerequisite of having permission to create a data source in the first place. However, once exploited, this vulnerability enables an attacker to bypass access controls and gain unfettered access to all data sources, allowing them to read, query, edit, and delete sensitive information.", "threat_severity": "Moderate", "upstream_fix": "grafana 9.5.7, grafana 10.0.12, grafana 10.1.8, grafana 10.2.5, grafana 10.3.4"}