FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

Grafana -- Data source permission escalation

Affected packages
8.5.0 <= grafana < 9.5.17
10.0.0 <= grafana < 10.0.12
10.1.0 <= grafana < 10.1.8
10.2.0 <= grafana < 10.2.5
10.3.0 <= grafana < 10.3.4
grafana9 < 9.5.17


VuXML ID 6d31ef38-df85-11ee-abf1-6c3be5272acd
Discovery 2024-02-12
Entry 2024-03-11
Modified 2024-03-26

Grafana Labs reports:

The vulnerability impacts Grafana Cloud and Grafana Enterprise instances, and it is exploitable if a user who should not be able to access all data sources is granted permissions to create a data source.

By default, only organization Administrators are allowed to create a data source and have full access to all data sources. All other users need to be explicitly granted permission to create a data source, which then means they could exploit this vulnerability.

When a user creates a data source via the API, they can specify data source UID. If the UID is set to an asterisk (*), the user gains permissions to query, update, and delete all data sources in the organization. The exploit, however, does not stretch across organizations — to exploit the vulnerability in several organizations, a user would need permissions to create data sources in each organization.

The vulnerability comes from a lack of UID validation. When evaluating permissions, we interpret an asterisk (*) as a wild card for all resources. Therefore, we should treat it as a reserved value, and not allow the creation of a resource with the UID set to an asterisk.

The CVSS score for this vulnerability is 6 Medium.


CVE Name CVE-2024-1442