Users outside an organization can delete a snapshot with its key
Advisory ID: | CVE-2024-1313 |
Published: | 2024-03-26 |
Product: | Grafana |
CVSS Score: | 6.5 |
CVSS Vector: | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N |
Fixed Versions: | >=9.5.18 >=10.0.13 >=10.1.9 >=10.2.6 >=10.3.5 |
Summary
It is possible for a user in a different organization from the owner of a snapshot to bypass authorization and delete a snapshot by issuing a DELETE request to /api/snapshots/
Grafana Labs would like to thank Ravid Mazon and Jay Chen of Palo Alto Research for discovering and disclosing this vulnerability.
This issue affects Grafana: from 9.5.0 before 9.5.18, from 10.0.0 before 10.0.13, from 10.1.0 before 10.1.9, from 10.2.0 before 10.2.6, from 10.3.0 before 10.3.5.
Note: 10.4.x versions were not impacted by this vulnerability due to the functionality in question having been refactored entirely.