Fluid Attacks Database

Description

Grafana's users with permissions to create a data source can CRUD all data sources A user with the permissions to create a data source can use Grafana API to create a data source with UID set to *. Doing this will grant the user access to read, query, edit and delete all data sources within the organization.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
go	github.com/grafana/grafana	>=8.5.0 <9.5.7 \|\| >=10.0.0 <10.0.12 \|\| >=10.1.0 <10.1.8 \|\| >=10.2.0 <10.2.5 \|\| >=10.3.0 <10.3.4	9.5.7, 10.0.12, 10.1.8, 10.2.5, 10.3.4

Aliases

1. CVE-2024-14422. NVD-2024-14423. OSV-2024-14424. GCVE-2024-1442

References

1. https://grafana.com/security/security-advisories/cve-2024-14422. https://security.netapp.com/advisory/ntap-20241122-0007

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.