6 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L
6.7 Medium
AI Score
Confidence
Low
0.0004 Low
EPSS
Percentile
9.0%
Grafana Labs reports:
The vulnerability impacts Grafana Cloud and Grafana Enterprise instances,
and it is exploitable if a user who should not be able to access all data
sources is granted permissions to create a data source.
By default, only organization Administrators are allowed to create a data
source and have full access to all data sources. All other users need to be
explicitly granted permission to create a data source, which then means they
could exploit this vulnerability.
When a user creates a data source via the
API,
they can specify data source UID. If the UID is set to an asterisk (),
the user gains permissions to query, update, and delete all data sources
in the organization. The exploit, however, does not stretch across
organizations — to exploit the vulnerability in several organizations, a user
would need permissions to create data sources in each organization.
The vulnerability comes from a lack of UID validation. When evaluating
permissions, we interpret an asterisk () as a wild card for all resources.
Therefore, we should treat it as a reserved value, and not allow the creation
of a resource with the UID set to an asterisk.
The CVSS score for this vulnerability is
6 Medium.
6 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L
6.7 Medium
AI Score
Confidence
Low
0.0004 Low
EPSS
Percentile
9.0%