Fluid Attacks Database

Description

Grafana: Users outside an organization can delete a snapshot with its key

Summary

The DELETE /api/snapshots/{key} endpoint allows any Grafana user to delete snapshots if the user is NOT in the organization of the snapshot

Details

An attacker (a user without organization affiliation or with a "no basic role" in an organization other than the one where the dashboard exists), knowing the key or URL of a snapshot created by any user (including Grafana admins), can delete a snapshot (It is not feasible using UI), resulting in a BOLA vulnerability. If an attacker is in the same organization of the dashboard snapshot, he can’t delete the snapshot. However, an attacker with low-privilege from a different organization would be able to delete it, resulting in the authorization flaw.

Screenshot 2024-01-19 at 3 50 23 PM

Precondition

To exploit this endpoint, an attacker must know the {key} of a snapshot. The attacker can potentially discover this key in various ways.

When creating a snapshot through the API, users can manually specify a key without any complexity requirements. This lack of complexity makes this key susceptible to brute force attacks. For example, simplistic keys such as "customer_key_123" or "admin_snap" can be easily guessed. These predictable keys allow low-privileged attackers to perform brute-force attacks using common keywords, potentially leading to compromised data integrity.

In addition, this key is displayed in plain text in the URL of a snapshot. This means that if a user publicly displays a snapshot, viewers might note down the key. Furthermore, since the snapshot feature is often used for sharing, displaying, and backing up data, a low-privileged attacker could potentially find snapshot keys in places like the organization's content management system, messaging platform, or shared documents.

PoC

#!/bin/bash -x

# User A - Grafana Admin
user_a_token="YWRtaW46YWRtaW4xMjM="

# User B - User with no permissions , which is not part of any org
user_b_token="YmJiOmJiYmJiYmJiYg=="
...

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
go	github.com/grafana/grafana	>=9.5.0 <9.5.18 \|\| >=10.0.0 <10.0.13 \|\| >=10.1.0 <10.1.9 \|\| >=10.2.0 <10.2.6 \|\| >=10.3.0 <10.3.5	9.5.18, 10.0.13, 10.1.9, 10.2.6, 10.3.5
rpm rhel9	grafana	<0:9.2.10-16.el9_4	0:9.2.10-16.el9_4
rpm rhel8	grafana	<0:9.2.10-16.el8_10	0:9.2.10-16.el8_10

Aliases

1. CVE-2024-13132. NVD-2024-13133. OSV-2024-13134. GHSA-67rv-qpw2-6qrr5. GCVE-2024-1313

References

1. https://github.com/grafana/bugbounty/security/advisories/GHSA-67rv-qpw2-6qrr2. https://grafana.com/security/security-advisories/cve-2024-1313

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.