Grafana security release: Medium severity security fix for CVE-2024-9476

We’ve recently released Grafana 11.3.0+security-01 and 11.2.3+security-01. These patch releases contain a fix for CVE-2024-9476, a medium severity security vulnerability exploitable through the Grafana Cloud Migration Assistant, a feature that was introduced in Grafana 11.2.0 and is currently in public preview. Grafana 10.x is not affected.

11.3.0+security-01, latest release with security patch:

• Download Grafana 11.3.0+security-01

11.2.3+security-01, latest release with security patch:

• Download Grafana 11.2.3+security-01

Note: To learn more about the new naming conventions for security releases, please refer to our latest blog post about the Grafana release process.

Appropriate patches have been applied to Grafana Cloud and as always, we closely coordinated with all cloud providers licensed to offer Grafana Cloud Pro. They have received early notification under embargo and confirmed that their offerings are secure at the time of this announcement. This is applicable to Amazon Managed Grafana and Azure Managed Grafana.

Privilege escalation vulnerability for Organizations in Grafana (CVE-2024-9476)

Summary

A privilege escalation vulnerability was discovered in self-managed Grafana OSS v11.2 and Grafana Enterprise v11.2 during routine internal testing. The vulnerability allows users to gain access to resources from other organizations within the same Grafana instance via the Grafana Cloud Migration Assistant.

The Grafana Cloud Migration Assistant was introduced in Grafana 11.2.0 in public preview and is only available when a user with Admin access enables the corresponding feature toggle.

Note: This vulnerability will only affect users who utilize the Organizations feature to isolate resources on their Grafana instance.

The CVSS v3.1 score for this vulnerability is 5.4 Medium.

Impact

Some users leverage the Organizations feature to isolate multiple resources within a single Grafana instance. However, the Grafana Cloud Migration Assistant feature did not restrict the resources shown within an instance; therefore, it did not limit a user’s access to their assigned organization. Instead, the assistant showed and migrated all the resources within the instance, and did not consider the user’s permissions (Viewer, Editor, or Admin) within the Organization. This means that some users could view resources from other organizations that are within the same Grafana instance.

Impacted versions

• Grafana OSS and Grafana Enterprise 11.3.0 to 11.3.0+security-01
• Grafana OSS and Grafana Enterprise 11.2.0 to 11.2.3+security-01

Solutions and mitigations

If your instance is vulnerable, we strongly recommend upgrading to one of the patched versions as soon as possible.

As a mitigation, we turned off the Grafana Cloud Migration Assistant for all on-prem users on Oct. 3. We plan to turn the Grafana Cloud Migration Assistant back on for all on-prem users on Nov. 13, and it will remain in public preview. We recommend that the Grafana Cloud Migration Assistant is only enabled when needed.

Timeline and post-incident review

Here is a detailed incident timeline starting from when we originally introduced the issue. All times are in UTC.

• 2024-08-27 12:30: Grafana 11.2.0 is released with the Grafana Cloud Migration Assistant feature in public preview.
• 2024-10-01 16:00: A bug in the Grafana Cloud Migration Assistant was discovered during routine testing by the development team.
• 2024-10-03 15:15: After further investigation and internal consultation, a security incident is declared.
• 2024-10-03 19:12: To mitigate the vulnerability, the Grafana Cloud Migration Assistant feature was disabled for all Grafana Cloud instances, making it impossible to exploit the vulnerability.
• 2024-10-17 17:10: The engineering team finished the required fixes.
• 2024-10-25 11:30: Private release.
• 2024-11-12 16:25: Public release.
• 2024-11-12 19:00: Blog post is published.
• 2024-11-13: Grafana Cloud Migration service will be enabled again for all Grafana Cloud instances.

Reporting security issues

If you think you have found a security vulnerability, please go to our Report a security issue page to learn how to send a security report.

Grafana Labs will send you a response indicating the next steps in handling your report. After the initial reply to your report, the security team will keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance.

Important: We ask you to not disclose the vulnerability before it has been fixed and announced, unless you received a response from the Grafana Labs security team that you can do so.

Security announcements

We maintain a security category on our blog, where we will always post a summary, remediation, and mitigation details for any patch containing security fixes. You can also subscribe to our RSS feed.