Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1oaDhwLTM3NGYtcWdyNc4AA-z7

Grafana plugin data sources vulnerable to access control bypass

Access control for plugin data sources protected by the ReqActions json field of the plugin.json is bypassed if the user or service account is granted associated access to any other data source, as the ReqActions check was not scoped to each specific datasource. The account must have prior query access to the impacted datasource.

Permalink: https://github.com/advisories/GHSA-hh8p-374f-qgr5
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1oaDhwLTM3NGYtcWdyNc4AA-z7
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 5 months ago
Updated: 5 months ago

CVSS Score: 4.4
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:L

EPSS Percentage: 0.00043
EPSS Percentile: 0.10511

Identifiers: GHSA-hh8p-374f-qgr5, CVE-2024-6322
References:

Repository: https://github.com/grafana/grafana
Blast Radius: 7.5

Affected Packages

go:github.com/grafana/grafana

Dependent packages: 37
Dependent repositories: 50
Downloads:
Affected Version Ranges: = 11.1.2, = 11.1.0
Fixed in: 11.1.3, 11.1.1
All affected versions:
All unaffected versions: 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.1.0, 1.2.0, 1.3.0, 1.4.0, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.6.0, 1.6.1, 1.7.0, 1.8.0, 1.8.1, 1.9.0, 1.9.1, 2.0.1, 2.0.2, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.5.0, 2.6.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.1.0, 3.1.1, 4.0.0, 4.0.1, 4.0.2, 4.1.0, 4.1.1, 4.1.2, 4.2.0, 4.3.0, 4.3.1, 4.3.2, 4.4.0, 4.4.1, 4.4.2, 4.4.3, 4.5.0, 4.5.1, 4.5.2, 4.6.0, 4.6.1, 4.6.2, 4.6.3, 4.6.4, 4.6.5, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.1.0, 5.1.1, 5.1.2, 5.1.3, 5.1.4, 5.1.5, 5.2.0, 5.2.1, 5.2.2, 5.2.3, 5.2.4, 5.2.5, 5.3.0, 5.3.1, 5.3.2, 5.3.3, 5.3.4, 5.4.0, 5.4.1, 5.4.2, 5.4.3, 5.4.4, 5.4.5, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.6