Описание
A user with the permissions to create a data source can use Grafana API to create a data source with UID set to .
Doing this will grant the user access to read, query, edit and delete all data sources within the organization.
A flaw was found in Grafana, where setting the Grafana API Data Source UID to '' Grants Unrestricted Access, grants a user the ability to set the UID to '*' via the Grafana API poses a severe security risk. This issue enables unauthorized access to read, query, edit, and delete all data sources within the organization. Such unrestricted access can lead to data breaches, manipulation, privacy violations, and compliance issues, emphasizing the critical importance of implementing stringent access controls and monitoring API usage.
Отчет
The issue of allowing users to set the UID to '*' via the Grafana API presents a moderate severity concern due to its potential impact on data integrity and security within the organization's Grafana instance. While the risk of unauthorized access and data manipulation is significant, its severity is tempered by the prerequisite of having permission to create a data source in the first place. However, once exploited, this vulnerability enables an attacker to bypass access controls and gain unfettered access to all data sources, allowing them to read, query, edit, and delete sensitive information.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Ceph Storage 4 | rhceph/rhceph-4-dashboard-rhel8 | Affected | ||
| Red Hat Ceph Storage 5 | rhceph/rhceph-5-dashboard-rhel8 | Affected | ||
| Red Hat Ceph Storage 7 | rhceph/grafana-rhel9 | Affected | ||
| Red Hat Enterprise Linux 8 | grafana | Not affected | ||
| Red Hat Enterprise Linux 9 | grafana | Not affected | ||
| Red Hat OpenShift Container Platform 3.11 | openshift3/grafana | Not affected | ||
| Red Hat Storage 3 | grafana | Affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2.12 for RHEL 9 | rhacm2/acm-cli-rhel9 | Fixed | RHSA-2024:8974 | 06.11.2024 |
| Red Hat Advanced Cluster Management for Kubernetes 2.12 for RHEL 9 | rhacm2/acm-cluster-permission-rhel9 | Fixed | RHSA-2024:8974 | 06.11.2024 |
| Red Hat Advanced Cluster Management for Kubernetes 2.12 for RHEL 9 | rhacm2/acm-governance-policy-addon-controller-rhel9 | Fixed | RHSA-2024:8974 | 06.11.2024 |
Показывать по
Дополнительная информация
Статус:
6 Medium
CVSS3
Связанные уязвимости
A user with the permissions to create a data source can use Grafana API to create a data source with UID set to *. Doing this will grant the user access to read, query, edit and delete all data sources within the organization.
A user with the permissions to create a data source can use Grafana API to create a data source with UID set to *. Doing this will grant the user access to read, query, edit and delete all data sources within the organization.
A user with the permissions to create a data source can use Grafana AP ...
Grafana's users with permissions to create a data source can CRUD all data sources
Уязвимость реализации прикладного программного интерфейса веб-инструмента представления данных Grafana, позволяющая нарушителю получить несанкционированный доступ к ограниченным функциям
6 Medium
CVSS3