BIT-grafana-2024-6322

See a problem?
Import Source
https://github.com/bitnami/vulndb/tree/main/data/grafana/BIT-grafana-2024-6322.json
JSON Data
https://api.test.osv.dev/v1/vulns/BIT-grafana-2024-6322
Aliases
Published
2024-08-23T07:19:28.601Z
Modified
2024-09-30T09:34:51.259Z
Summary
[none]
Details

Access control for plugin data sources protected by the ReqActions json field of the plugin.json is bypassed if the user or service account is granted associated access to any other data source, as the ReqActions check was not scoped to each specific datasource. The account must have prior query access to the impacted datasource.

Database specific
{
    "cpes": [
        "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*",
        "cpe:2.3:a:grafana:grafana:*:*:*:*:enterprise:*:*:*",
        "cpe:2.3:a:grafana:grafana:*:*:*:*:*:go:*:*"
    ],
    "severity": "Medium"
}
References

Affected packages

Bitnami / grafana

Package

Name
grafana
Purl
pkg:bitnami/grafana

Severity

  • 4.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:L CVSS Calculator

Affected ranges

Type
SEMVER
Events
Introduced
11.1.0
Fixed
11.1.1
Introduced
11.1.2
Fixed
11.1.3