{ "threat_severity" : "Moderate", "public_date" : "2024-03-26T00:00:00Z", "bugzilla" : { "description" : "grafana: vulnerable to authorization bypass", "id" : "2271903", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2271903" }, "cvss3" : { "cvss3_base_score" : "6.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "status" : "verified" }, "cwe" : "CWE-639", "details" : [ "It is possible for a user in a different organization from the owner of a snapshot to bypass authorization and delete a snapshot by issuing a DELETE request to /api/snapshots/ using its view key. This functionality is intended to only be available to individuals with the permission to write/edit to the snapshot in question, but due to a bug in the authorization logic, deletion requests issued by an unprivileged user in a different organization than the snapshot owner are treated as authorized.\nGrafana Labs would like to thank Ravid Mazon and Jay Chen of Palo \nAlto Research for discovering and disclosing this vulnerability.\nThis issue affects Grafana: from 9.5.0 before 9.5.18, from 10.0.0 before 10.0.13, from 10.1.0 before 10.1.9, from 10.2.0 before 10.2.6, from 10.3.0 before 10.3.5.", "A vulnerability was found in Grafana. Due to an error in authorization logic, it is possible for an unprivileged user in a different organization other than the snapshot owner to perform unauthorized actions such as deleting it using a view key." ], "statement" : "Red Hat rates this as a Moderate impact flaw as it still require access to perform requests against Grafana and the view access key. The attacker would need minimum privileges in order to jeopardize an environment.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2024-05-22T00:00:00Z", "advisory" : "RHSA-2024:3265", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "grafana-0:9.2.10-16.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-04-30T00:00:00Z", "advisory" : "RHSA-2024:2568", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "grafana-0:9.2.10-16.el9_4" } ], "package_state" : [ { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "rhacm2/acm-grafana-rhel8", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat Ceph Storage 5", "fix_state" : "Affected", "package_name" : "rhceph/rhceph-5-dashboard-rhel8", "cpe" : "cpe:/a:redhat:ceph_storage:5" }, { "product_name" : "Red Hat Ceph Storage 6", "fix_state" : "Will not fix", "package_name" : "rhceph/rhceph-6-dashboard-rhel9", "cpe" : "cpe:/a:redhat:ceph_storage:6" }, { "product_name" : "Red Hat Ceph Storage 7", "fix_state" : "Affected", "package_name" : "rhceph/grafana-rhel9", "cpe" : "cpe:/a:redhat:ceph_storage:7" }, { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "grafana", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "grafana-pcp", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "grafana-pcp", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "grafana-pcp", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Storage 3", "fix_state" : "Out of support scope", "package_name" : "grafana", "cpe" : "cpe:/a:redhat:storage:3" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-1313\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-1313\nhttps://github.com/advisories/GHSA-67rv-qpw2-6qrr\nhttps://github.com/advisories/GHSA-mh7p-8m2f-qrm6\nhttps://grafana.com/security/security-advisories/cve-2024-1313/" ], "name" : "CVE-2024-1313", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "lang" : "en:us" }, "csaw" : false }