GHSA-hh8p-374f-qgr5

Suggest an improvement
Source
https://github.com/advisories/GHSA-hh8p-374f-qgr5
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-hh8p-374f-qgr5/GHSA-hh8p-374f-qgr5.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-hh8p-374f-qgr5
Aliases
Published
2024-08-20T18:31:26Z
Modified
2024-08-23T08:11:56.797844Z
Severity
  • 4.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:L CVSS Calculator
  • 5.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:L/SA:L CVSS Calculator
Summary
Grafana plugin data sources vulnerable to access control bypass
Details

Access control for plugin data sources protected by the ReqActions json field of the plugin.json is bypassed if the user or service account is granted associated access to any other data source, as the ReqActions check was not scoped to each specific datasource. The account must have prior query access to the impacted datasource.

Database specific
{
    "nvd_published_at": "2024-08-20T18:15:09Z",
    "cwe_ids": [
        "CWE-266"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-08-20T20:04:53Z"
}
References

Affected packages

Go / github.com/grafana/grafana

Package

Name
github.com/grafana/grafana
View open source insights on deps.dev
Purl
pkg:golang/github.com/grafana/grafana

Affected ranges

Type
SEMVER
Events
Introduced
11.1.0
Fixed
11.1.1

Affected versions

11.*

11.1.0

Go / github.com/grafana/grafana

Package

Name
github.com/grafana/grafana
View open source insights on deps.dev
Purl
pkg:golang/github.com/grafana/grafana

Affected ranges

Type
SEMVER
Events
Introduced
11.1.2
Fixed
11.1.3

Affected versions

11.*

11.1.2