CVE-2024-1313

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2024-1313
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-1313.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-1313
Aliases
Downstream
Related
Published
2024-03-26T17:24:25.956Z
Modified
2026-05-13T03:51:47.689328047Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
Users outside an organization can delete a snapshot with its key
Details

It is possible for a user in a different organization from the owner of a snapshot to bypass authorization and delete a snapshot by issuing a DELETE request to /api/snapshots/<key> using its view key. This functionality is intended to only be available to individuals with the permission to write/edit to the snapshot in question, but due to a bug in the authorization logic, deletion requests issued by an unprivileged user in a different organization than the snapshot owner are treated as authorized.

Grafana Labs would like to thank Ravid Mazon and Jay Chen of Palo Alto Research for discovering and disclosing this vulnerability.

This issue affects Grafana: from 9.5.0 before 9.5.18, from 10.0.0 before 10.0.13, from 10.1.0 before 10.1.9, from 10.2.0 before 10.2.6, from 10.3.0 before 10.3.5.

Database specific 
{
    "cna_assigner": "GRAFANA",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/1xxx/CVE-2024-1313.json",
    "cwe_ids": [
        "CWE-639"
    ]
}
References

Affected packages

Git / github.com/grafana/grafana

Affected ranges

Type
GIT
Repo
https://github.com/grafana/grafana
Events
Introduced
efe95b4c213a64acd9566f658b21fb6c11597b32
Fixed
f4c5a603b25f69127bfe065381ff454e55b334c5
Introduced
81d85ce8028dc54188e1f4482837d28f5fc7c797
Fixed
9c2ce6255bb326364c83384306356a63896c8601
Introduced
ff85ec33c56ffe567e6bde27473d9493eb70c743
Fixed
783cbd8a148eb0c0a017a01c0dbe1138fe5e8e24
Introduced
ae830f687450b8a0aca94ab2d72cc08853a80fff
Fixed
5f1eccdb4da646b4122c3eb815290b2b025188fe
Introduced
e010fbb08cfcd444924bc674035ac6286d8cdb88
Fixed
6db35ad6b4075cf214594fc62f4a3faa3484be01
Database specific 
{
    "source": "AFFECTED_FIELD",
    "extracted_events": [
        {
            "introduced": "9.5.0"
        },
        {
            "fixed": "9.5.18"
        },
        {
            "introduced": "10.0.0"
        },
        {
            "fixed": "10.0.13"
        },
        {
            "introduced": "10.1.0"
        },
        {
            "fixed": "10.1.9"
        },
        {
            "introduced": "10.2.0"
        },
        {
            "fixed": "10.2.6"
        },
        {
            "introduced": "10.3.0"
        },
        {
            "fixed": "10.3.5"
        }
    ]
}

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-1313.json"