Grafana alerting wrong permission on datasource rule write endpoint

Medium
Advisory ID:CVE-2024-8118
Published:2024-09-26
Product:Grafana
CVSS Score:5.1
CVSS Vector:CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
Fixed Versions:
>=11.2.1
>=11.1.6
>=11.0.5
>=10.4.9
>=10.3.10

Summary

 In Grafana, the wrong permission is applied to the alert rule write API endpoint, allowing users with permission to write external alert instances to also write alert rules.

This vulnerability first appeared in Grafana v8.5.0, and is fixed in v11.2.1, v11.1.6, v11.0.5, v10.4.9, and v10.3.10.