Grafana security release: Medium severity security fix for CVE-2024-1442

Grafana Security Advisory

We recently released Grafana 10.4 along with Grafana 10.3.4, 10.2.5, 10.1.8, 10.0.12 and 9.5.17. The latest version of Grafana and these patch releases contain a fix for CVE-2024-1442, a medium severity security vulnerability with Grafana’s access control system.

Release 10.4.0, latest release with the security patch:

Release 10.3.4 with the security patch:

Release 10.2.5 with the security patch:

Release 10.1.8 with the security patch:

Release 10.0.12 with the security patch:

Release 9.5.17 with the security patch:

Appropriate patches have been applied to Grafana Cloud and as always, we closely coordinated with all cloud providers licensed to offer Grafana Cloud Pro. They have received early notification under embargo and confirmed that their offerings are secure at the time of this announcement. This is applicable to Amazon Managed Grafana and Azure Managed Grafana.

Data source permission escalation (CVE-2024-1442)

Summary

The vulnerability impacts Grafana Cloud and Grafana Enterprise instances, and it is exploitable if a user who should not be able to access all data sources is granted permissions to create a data source. 

By default, only organization Administrators are allowed to create a data source and have full access to all data sources. All other users need to be explicitly granted permission to create a data source, which then means they could exploit this vulnerability.

When a user creates a data source via the API, they can specify data source UID. If the UID is set to an asterisk (*), the user gains permissions to query, update, and delete all data sources in the organization. The exploit, however, does not stretch across organizations — to exploit the vulnerability in several organizations, a user would need permissions to create data sources in each organization.

The vulnerability comes from a lack of UID validation. When evaluating permissions, we interpret an asterisk (*) as a wild card for all resources. Therefore, we should treat it as a reserved value, and not allow the creation of a resource with the UID set to an asterisk.

The CVSS score for this vulnerability is 6 Medium.

Impact

The vulnerability allows a user who has the permission to create a data source within an organization to gain access to query, edit, share, and delete any existing data source within that specified organization.

Impacted versions

The vulnerability impacts Grafana Enterprise and Grafana Cloud running on the following versions:

  • Grafana 10.3.0 to Grafana 10.3.4
  • Grafana 10.2.0 to Grafana 10.2.5
  • Grafana 10.1.0 to Grafana 10.1.8
  • Grafana 10.0.0 to Grafana 10.0.12
  • All versions older than Grafana 9.5.17

Solutions and mitigations

If your instance is vulnerable, we strongly recommend upgrading to one of the patched versions as soon as possible. 

As a mitigation, make sure that only trusted users have permission to create data sources.

Here is the command to list assignments of the datasources:create permissions for your organization: 



curl [http:///api/access-control/assignments/search](http://localhost:3000/api/access-control/assignments/search) -X POST -u : -H 'Content-Type: application/json' -d '{ "userId": "*",
  "teamId": "*",
  "basicRole": "*",
  "action": "datasources:create",
  "onlyRoles": true }'

Timeline and post-incident review

Here is a detailed incident timeline starting from when we originally introduced the issue. All times are in UTC.

  • 2022-03-24 11:21 – Vulnerability is merged into Grafana’s code base.
  • 2022-04-21 13:54 – Vulnerability is released in Grafana version 8.5.0.
  • 2024-02-12 09:13 – Vulnerability is discovered through internal testing.
  • 2024-02-12 11:48 – An incident is raised, CVE is requested, and GitHub Advisory is created.
  • 2024-02-12 14:10 – The impact of the vulnerability is assessed, and a fix is proposed.
  • 2024-02-14 11:42 – The fix for the vulnerability is merged.
  • 2024-02-15 13:21 – The fix has been backported to the supported versions, and backports have been merged.
  • 2024-03-06 17:17 – Public release.

Reporting security issues

If you think you have found a security vulnerability, please go to our Report a security issue page to learn how to send a security report.

Grafana Labs will send you a response indicating the next steps in handling your report. After the initial reply to your report, the security team will keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance.

Important: We ask you to not disclose the vulnerability before it has been fixed and announced, unless you received a response from the Grafana Labs security team that you can do so.

Security announcements

We maintain a security category on our blog where we will always post a summary, remediation, and mitigation details for any patch containing security fixes. You can also subscribe to our RSS feed.

READ MORE