{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2024-9476", "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "state": "PUBLISHED", "assignerShortName": "GRAFANA", "dateReserved": "2024-10-03T12:58:42.842Z", "datePublished": "2024-11-13T16:30:54.581Z", "dateUpdated": "2025-11-21T14:25:37.913Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Grafana OSS and Enterprise", "vendor": "Grafana Labs", "versions": [{"lessThan": "11.3.0+security-01", "status": "affected", "version": "11.3.0", "versionType": "semver"}, {"lessThan": "11.2.3+security-01", "status": "affected", "version": "11.2.0", "versionType": "semver"}]}], "configurations": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The feature toggle&nbsp;<tt><code>onPremToCloudMigrations</code></tt> must be enabled for this vulnerability to be activated. <br>See <a target=\"_blank\" rel=\"nofollow\" href=\"https://grafana.com/docs/grafana-cloud/account-management/migration-guide/\">https://grafana.com/docs/grafana-cloud/account-management/migration-guide/</a> for more details<br>"}], "value": "The feature toggle\u00a0onPremToCloudMigrations must be enabled for this vulnerability to be activated. \nSee https://grafana.com/docs/grafana-cloud/account-management/migration-guide/ for more details"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "A vulnerability in Grafana Labs Grafana OSS and Enterprise allows Privilege Escalation allows users to gain access to resources from other organizations within the same Grafana instance via the Grafana Cloud Migration Assistant.<div><div>This vulnerability will only affect users who utilize the Organizations feature to isolate resources on their Grafana instance.</div></div>"}], "value": "A vulnerability in Grafana Labs Grafana OSS and Enterprise allows Privilege Escalation allows users to gain access to resources from other organizations within the same Grafana instance via the Grafana Cloud Migration Assistant.This vulnerability will only affect users who utilize the Organizations feature to isolate resources on their Grafana instance."}], "impacts": [{"capecId": "CAPEC-233", "descriptions": [{"lang": "en", "value": "CAPEC-233 Privilege Escalation"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "baseScore": 5.1, "baseSeverity": "MEDIUM", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-266", "description": "CWE-266", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "shortName": "GRAFANA", "dateUpdated": "2025-11-21T14:25:37.913Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://grafana.com/security/security-advisories/cve-2024-9476/"}, {"url": "https://grafana.com/blog/2024/11/12/grafana-security-release-medium-severity-security-fix-for-cve-2024-9476/"}], "source": {"discovery": "UNKNOWN"}, "title": "Privilege escalation vulnerability for Organizations in Grafana", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-11-14T15:54:30.628886Z", "id": "CVE-2024-9476", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-21T16:13:24.654Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-9476", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-11-14T15:54:30.628886Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-14T15:54:23.722Z"}}], "cna": {"title": "Privilege escalation vulnerability for Organizations in Grafana", "source": {"discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-233", "descriptions": [{"lang": "en", "value": "CAPEC-233 Privilege Escalation"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.1, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Grafana Labs", "product": "Grafana OSS and Enterprise", "versions": [{"status": "affected", "version": "11.3.0", "lessThan": "11.3.0+security-01", "versionType": "semver"}, {"status": "affected", "version": "11.2.0", "lessThan": "11.2.3+security-01", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://grafana.com/security/security-advisories/cve-2024-9476/", "tags": ["vendor-advisory"]}, {"url": "https://grafana.com/blog/2024/11/12/grafana-security-release-medium-severity-security-fix-for-cve-2024-9476/"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "A vulnerability in Grafana Labs Grafana OSS and Enterprise allows Privilege Escalation allows users to gain access to resources from other organizations within the same Grafana instance via the Grafana Cloud Migration Assistant.This vulnerability will only affect users who utilize the Organizations feature to isolate resources on their Grafana instance.", "supportingMedia": [{"type": "text/html", "value": "A vulnerability in Grafana Labs Grafana OSS and Enterprise allows Privilege Escalation allows users to gain access to resources from other organizations within the same Grafana instance via the Grafana Cloud Migration Assistant.<div><div>This vulnerability will only affect users who utilize the Organizations feature to isolate resources on their Grafana instance.</div></div>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-266", "description": "CWE-266"}]}], "configurations": [{"lang": "en", "value": "The feature toggle\u00a0onPremToCloudMigrations must be enabled for this vulnerability to be activated. \nSee https://grafana.com/docs/grafana-cloud/account-management/migration-guide/ for more details", "supportingMedia": [{"type": "text/html", "value": "The feature toggle&nbsp;<tt><code>onPremToCloudMigrations</code></tt> must be enabled for this vulnerability to be activated. <br>See <a target=\"_blank\" rel=\"nofollow\" href=\"https://grafana.com/docs/grafana-cloud/account-management/migration-guide/\">https://grafana.com/docs/grafana-cloud/account-management/migration-guide/</a> for more details<br>", "base64": false}]}], "providerMetadata": {"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "shortName": "GRAFANA", "dateUpdated": "2025-11-21T14:25:37.913Z"}}}, "cveMetadata": {"cveId": "CVE-2024-9476", "state": "PUBLISHED", "dateUpdated": "2025-11-21T14:25:37.913Z", "dateReserved": "2024-10-03T12:58:42.842Z", "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "datePublished": "2024-11-13T16:30:54.581Z", "assignerShortName": "GRAFANA"}, "dataVersion": "5.2"}

{"descriptions": [{"lang": "en", "value": "A vulnerability in Grafana Labs Grafana OSS and Enterprise allows Privilege Escalation allows users to gain access to resources from other organizations within the same Grafana instance via the Grafana Cloud Migration Assistant.This vulnerability will only affect users who utilize the Organizations feature to isolate resources on their Grafana instance."}, {"lang": "es", "value": "Una vulnerabilidad en Grafana Labs Grafana OSS y Enterprise permite que la escalada de privilegios permita a los usuarios obtener acceso a recursos de otras organizaciones dentro de la misma instancia de Grafana a trav\u00e9s del Asistente de migraci\u00f3n a la nube de Grafana. Esta vulnerabilidad solo afectar\u00e1 a los usuarios que utilicen la funci\u00f3n Organizaciones para aislar recursos en su instancia de Grafana."}], "id": "CVE-2024-9476", "lastModified": "2024-11-21T17:15:28.000", "metrics": {"cvssMetricV40": [{"cvssData": {"attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "automatable": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityRequirements": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "recovery": "NOT_DEFINED", "safety": "NOT_DEFINED", "subsequentSystemAvailability": "NONE", "subsequentSystemConfidentiality": "NONE", "subsequentSystemIntegrity": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnerabilityResponseEffort": "NOT_DEFINED", "vulnerableSystemAvailability": "NONE", "vulnerableSystemConfidentiality": "HIGH", "vulnerableSystemIntegrity": "NONE"}, "source": "security@grafana.com", "type": "Secondary"}]}, "published": "2024-11-13T17:15:12.747", "references": [{"source": "security@grafana.com", "url": "https://grafana.com/blog/2024/11/12/grafana-security-release-medium-severity-security-fix-for-cve-2024-9476/"}, {"source": "security@grafana.com", "url": "https://grafana.com/security/security-advisories/cve-2024-9476/"}], "sourceIdentifier": "security@grafana.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-266"}], "source": "security@grafana.com", "type": "Secondary"}]}

{"bugzilla": {"description": "grafana: Privilege escalation vulnerability in Grafana Migration Assistance", "id": "2322639", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2322639"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.9", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "status": "draft"}, "details": ["A vulnerability in Grafana Labs Grafana OSS and Enterprise allows Privilege Escalation allows users to gain access to resources from other organizations within the same Grafana instance via the Grafana Cloud Migration Assistant.This vulnerability will only affect users who utilize the Organizations feature to isolate resources on their Grafana instance."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-9476", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Not affected", "package_name": "grafana", "product_name": "Red Hat Storage 3"}], "public_date": "2024-11-14T09:35:05Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-9476\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-9476"], "statement": "This vulnerability doesn't affect any version of Grafana as shipped with any supported Red Hat product. The affected upstream version is 11.2 while Red Hat doesn't ship such version.", "threat_severity": "Moderate"}

{}