Описание
A security vulnerability in the /apis/dashboard.grafana.app/* endpoints allows authenticated users to bypass dashboard and folder permissions. The vulnerability affects all API versions (v0alpha1, v1alpha1, v2alpha1). Impact:
- Viewers can view all dashboards/folders regardless of permissions
- Editors can view/edit/delete all dashboards/folders regardless of permissions
- Editors can create dashboards in any folder regardless of permissions
- Anonymous users with viewer/editor roles are similarly affected
Organization isolation boundaries remain intact. The vulnerability only affects dashboard access and does not grant access to datasources.
A flaw was found in Grafana. This vulnerability allows users with Viewer or Editor roles to access or modify dashboards without proper permissions.
Отчет
This vulnerability is rated with an Important severity due to its ability to completely bypass role-based access controls, allowing users with VIEWER or EDITOR roles to access, modify, or delete dashboards regardless of permissions. The impact is further amplified when anonymous authentication is enabled, where unauthenticated users can perform privileged actions, significantly increasing exposure. Although organization-level isolation remains intact, the failure to enforce dashboard-level permissions undermines core security guarantees. It’s important to note that this issue affects only Grafana version 11.6.0, which is not included in any Red Hat supported builds, and therefore Red Hat customers are not impacted.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
Платформа | Пакет | Состояние | Рекомендация | Релиз |
---|---|---|---|---|
Red Hat Enterprise Linux 10 | grafana | Not affected | ||
Red Hat Enterprise Linux 8 | grafana | Not affected | ||
Red Hat Enterprise Linux 9 | grafana | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
8.5 High
CVSS3
Связанные уязвимости
A security vulnerability in the /apis/dashboard.grafana.app/* endpoints allows authenticated users to bypass dashboard and folder permissions. The vulnerability affects all API versions (v0alpha1, v1alpha1, v2alpha1). Impact: - Viewers can view all dashboards/folders regardless of permissions - Editors can view/edit/delete all dashboards/folders regardless of permissions - Editors can create dashboards in any folder regardless of permissions - Anonymous users with viewer/editor roles are similarly affected Organization isolation boundaries remain intact. The vulnerability only affects dashboard access and does not grant access to datasources.
A security vulnerability in the /apis/dashboard.grafana.app/* endpoints allows authenticated users to bypass dashboard and folder permissions. The vulnerability affects all API versions (v0alpha1, v1alpha1, v2alpha1). Impact: - Viewers can view all dashboards/folders regardless of permissions - Editors can view/edit/delete all dashboards/folders regardless of permissions - Editors can create dashboards in any folder regardless of permissions - Anonymous users with viewer/editor roles are similarly affected Organization isolation boundaries remain intact. The vulnerability only affects dashboard access and does not grant access to datasources.
A security vulnerability in the /apis/dashboard.grafana.app/* endpoint ...
Grafana vulnerable to authenticated users bypassing dashboard, folder permissions
Уязвимость платформы для мониторинга и наблюдения Grafana, связанная с недостатками механизма авторизации, позволяющая нарушителю обойти существующие ограничения безопасности
EPSS
8.5 High
CVSS3