CVE-2024-1442
MEDIUM6.0EPSS 0.21%Grafana's users with permissions to create a data source can CRUD all data sources
Published: 3/7/2024Modified: 2/4/2026
Description
A user with the permissions to create a data source can use Grafana API to create a data source with UID set to *. Doing this will grant the user access to read, query, edit and delete all data sources within the organization.
Affected packages (3)
- Bitnami/grafana>= 8.5.0, < 9.5.7, >= 10.0.0, < 10.0.12, >= 10.1.0, < 10.1.8, >= 10.2.0, < 10.2.5, >= 10.3.0, < 10.3.4
- Go/github.com/grafana/grafana>= 8.5.0, < 9.5.7
- Go/github.com/grafana/grafanafrom 0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM6.0 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L |
References (7)
- ADVISORYhttps://github.com/advisories/GHSA-5mxf-42f5-j782
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-1442
- PATCHhttps://github.com/grafana/grafana
- WEBhttps://grafana.com/security/security-advisories/cve-2024-1442
- WEBhttps://grafana.com/security/security-advisories/cve-2024-1442/
- WEBhttps://security.netapp.com/advisory/ntap-20241122-0007
- WEBhttps://security.netapp.com/advisory/ntap-20241122-0007/