Grafana security release: Medium severity fix for CVE-2024-8118

Today we released Grafana 11.2.1, 11.1.6, 11.0.5, 10.4.9, and 10.3.10. These patch releases contain a fix for CVE-2024-8118, a medium severity security vulnerability that applies to permissions on data source rule write endpoints in Grafana Alerting.

Release 11.2.1 with security patch:

• Download Grafana 11.2.1

Release 11.1.6 with security patch:

• Download Grafana 11.1.6

Release 11.0.5 with security patch:

• Download Grafana 11.0.5

Release 10.4.9 with security patch:

• Download Grafana 10.4.9

Release 10.3.10 with security patch:

• Download Grafana 10.3.10

Appropriate patches have been applied to Grafana Cloud.

Grafana Alerting: permission on data source rule write endpoint (CVE-2024-8118)

Summary

A vulnerability has been discovered in the Grafana application related to the /api/ruler/{DatasourceUID}/api/v1/rules/{Namespace} endpoint. This endpoint allows Grafana users to edit alerting and recording rules stored in external data sources. We discovered that the endpoint had an incorrect RBAC action assigned to it. The endpoint was documented to check for alert.rules.external:write, but instead checked for the action alert.instances.external:write. This allowed users that had permission to edit alert instances in the data source to also create, edit, and delete alert rules without permission.

The CVSS v4.0 vulnerability score is a 5.1 Medium.

Impact

If successfully exploited, this vulnerability could allow users to create and edit rules unexpectedly. An attacker can, in turn, create a rule that reads data source information that they otherwise would not have access to and leak that information via notifications.

Solutions and mitigations

If your instance is vulnerable, we strongly recommend upgrading to one of the patched versions as soon as possible.

As a mitigation, we recommend Administrators audit their permissions to ensure that alert.instances.external:write is only applied to the expected groups.

Impacted versions

Grafana 8.5.0 to 11.2.0

Appropriate patches have been applied to Grafana Cloud.

Timeline and post-incident review

All times are in UTC

• 2022-03-15 00:02 - Vulnerability is merged into Grafana’s code base.
• 2022-03-22 13:54 - Vulnerability is released in Grafana version 8.5.0.
• 2024-08-21 16:25 - A bug fix touching the vulnerable code was opened as a public PR by internal staff.
• 2024-08-21 16:26 - The vulnerability was discovered by the same internal staff.
• 2024-08-21 17:09 - Vulnerability was classified as 2.1 Low.
• 2024-08-21 17:31 - Vulnerability was reclassified as 5.1 Medium after further investigation.
• 2024-08-21 17:41 - Request was sent to GitHub to delete the public PR.
• 2024-08-21 18:21 - GitHub staff removes the public PR.
• 2024-08-22 15:36 - The fix for the vulnerability is internally proposed.
• 2024-09-05 20:02 - The fix for the vulnerability is merged, including all backports to supported versions.
• 2024-09-10 20:02 - Private release
• 2024-09-26 19:30 - Public release
• 2024-09-26 23:45 - Blog published

Reporting security issues

If you think you have found a security vulnerability, please go to our Report a security issue page to learn how to send a security report.

Grafana Labs will send you a response indicating the next steps in handling your report. After the initial reply to your report, the security team will keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance.

Important: We ask you to not disclose the vulnerability before it has been fixed and announced, unless you received a response from the Grafana Labs security team that you can do so.

Security announcements

We maintain a security category on our blog where we will always post a summary, remediation, and mitigation details for any patch containing security fixes. You can also subscribe to our RSS feed.