A user with the permissions to create a data source can use Grafana API to create a data source with UID set to *. Doing this will grant the user access to read, query, edit and delete all data sources within the organization.

According to its self-reported version, the Grafana install hosted on the remote host is 8.5.x earlier than 9.5.7, or 10.0.x earlier than 10.0.12, or 10.1.x earlier than 10.1.8, or 10.2.x earlier than 10.2.5, or 10.3.x earlier than 10.3.4. It is, therefore, affected by a improper privilege management vulnerability.

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Grafana Labs installed on the remote host is prior to 10.0.12, 10.1.8, 10.2.5, 10.3.4, or 9.5.7. It is, therefore, affected by a vulnerability as referenced in the CVE-2024-1442 advisory.

  - A user with the permissions to create a data source can use Grafana API to create a data source with UID     set to *. Doing this will grant the user access to read, query, edit and delete all data sources within     the organization. (CVE-2024-1442)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
114844	Grafana 10.3.x < 10.3.4 Improper Privilege Management	Web App Scanning	Component Vulnerability	high
114843	Grafana 10.2.x < 10.2.5 Improper Privilege Management	Web App Scanning	Component Vulnerability	high
114842	Grafana 10.1.x < 10.1.8 Improper Privilege Management	Web App Scanning	Component Vulnerability	high
114841	Grafana 10.0.x < 10.0.12 Improper Privilege Management	Web App Scanning	Component Vulnerability	high
114840	Grafana 8.5.x < 9.5.7 Improper Privilege Management	Web App Scanning	Component Vulnerability	high
192023	Grafana Labs 10.0.x < 10.0.12 / 10.1.x < 10.1.8 / 10.2.x < 10.2.5 / 10.3.x < 10.3.4 / 8.5.x < 9.5.7 (CVE-2024-1442)	Nessus	Web Servers	high

Detections

Analytics

CVE-2024-1442

high

Tenable Plugins

high

high

high

high

high

high