BIT-grafana-2024-6322

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/grafana/BIT-grafana-2024-6322.json

JSON Data

https://api.osv.dev/v1/vulns/BIT-grafana-2024-6322

Aliases

Published

2024-08-23T07:19:28.601Z

Modified

2024-09-30T09:34:51.259Z

Summary

[none]

Details

Access control for plugin data sources protected by the ReqActions json field of the plugin.json is bypassed if the user or service account is granted associated access to any other data source, as the ReqActions check was not scoped to each specific datasource. The account must have prior query access to the impacted datasource.

Database specific

{
    "cpes": [
        "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*",
        "cpe:2.3:a:grafana:grafana:*:*:*:*:enterprise:*:*:*",
        "cpe:2.3:a:grafana:grafana:*:*:*:*:*:go:*:*"
    ],
    "severity": "Medium"
}

References

https://grafana.com/security/security-advisories/cve-2024-6322/

Affected packages

Bitnami / grafana

Package

Name: grafana
Purl: pkg:bitnami/grafana

Severity

4.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:L CVSS Calculator

Affected ranges

Type: SEMVER
Events: Introduced

11.1.0

Fixed

11.1.1

Introduced

11.1.2

Fixed

11.1.3