CVE-2024-1313

Published: Mar 26, 2024

Modified: Feb 13, 2025

PUBLISHED

CVSS v3.1

6.5

MEDIUM

Description

It is possible for a user in a different organization from the owner of a snapshot to bypass authorization and delete a snapshot by issuing a DELETE request to /api/snapshots/<key> using its view key. This functionality is intended to only be available to individuals with the permission to write/edit to the snapshot in question, but due to a bug in the authorization logic, deletion requests issued by an unprivileged user in a different organization than the snapshot owner are treated as authorized. Grafana Labs would like to thank Ravid Mazon and Jay Chen of Palo Alto Research for discovering and disclosing this vulnerability. This issue affects Grafana: from 9.5.0 before 9.5.18, from 10.0.0 before 10.0.13, from 10.1.0 before 10.1.9, from 10.2.0 before 10.2.6, from 10.3.0 before 10.3.5.

Vendor	Product	Versions
Grafana	Grafana	affected `9.5.0 - < 9.5.18` affected `10.0.0 - < 10.0.13` affected `10.1.0 - < 10.1.9` affected `10.2.0 - < 10.2.6` affected `10.3.0 - < 10.3.5` +1 more versions

Weaknesses (CWE)

CWE-639

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

References

https://grafana.com/security/security-advisories/cve-2024-1313/

https://security.netapp.com/advisory/ntap-20240524-0008/

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2024-1313

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References