Grafana's users with permissions to create a data source can CRUD all data sources
High severity
GitHub Reviewed
Published
Mar 7, 2024
to the GitHub Advisory Database
•
Updated Nov 18, 2024
Package
Affected versions
>= 8.5.0, < 9.5.7
>= 10.0.0, < 10.0.12
>= 10.1.0, < 10.1.8
>= 10.2.0, < 10.2.5
>= 10.3.0, < 10.3.4
Patched versions
9.5.7
10.0.12
10.1.8
10.2.5
10.3.4
Description
Published by the National Vulnerability Database
Mar 7, 2024
Published to the GitHub Advisory Database
Mar 7, 2024
Reviewed
Mar 7, 2024
Last updated
Nov 18, 2024
A user with the permissions to create a data source can use Grafana API to create a data source with UID set to *.
Doing this will grant the user access to read, query, edit and delete all data sources within the organization.
References