Linux Distros Unpatched Vulnerability : CVE-2024-1313

🗓️ 03 Sep 2025 00:00:00Reported by TenableType

CVE-2024-1313: Unprivileged users can delete snapshots via view key due to broken authorization.

Reporter	Title	Published	Views	Family All 86
IBM Security Bulletins	Security Bulletin: IBM Storage Ceph is vulnerable to Authorization Bypass in Grafana (CVE-2024-1313)	29 Jul 202521:04	–	ibm
Tenable Nessus	Alibaba Cloud Linux 3 : 0096: grafana (ALINUX3-SA-2024:0096)	14 May 202500:00	–	nessus
Tenable Nessus	CentOS 8 : grafana (CESA-2024:3265)	22 May 202400:00	–	nessus
Tenable Nessus	Grafana Labs 9.5 < 9.5.18, 10.0 < 10.0.13, 10.1 < 10.1.9, 10.2 < 10.2.6, 10.3 < 10.3.5 (CVE-2024-1313)	11 Apr 202400:00	–	nessus
Tenable Nessus	MiracleLinux 9 : grafana-9.2.10-16.el9.ML.1 (AXSA:2024-7906:07)	20 Jan 202600:00	–	nessus
Tenable Nessus	MiracleLinux 8 : grafana-9.2.10-16.el8 (AXSA:2024-8438:09)	20 Jan 202600:00	–	nessus
Tenable Nessus	Oracle Linux 9 : grafana (ELSA-2024-2568)	7 May 202400:00	–	nessus
Tenable Nessus	Oracle Linux 8 : grafana (ELSA-2024-3265)	30 May 202400:00	–	nessus
Tenable Nessus	RHEL 9 : grafana (RHSA-2024:2568)	30 Apr 202400:00	–	nessus
Tenable Nessus	RHEL 8 : grafana (RHSA-2024:3265)	23 May 202400:00	–	nessus

Source	Link
ubuntu	www.ubuntu.com/security/CVE-2024-1313
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(260931);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/09/03");

  script_cve_id("CVE-2024-1313");

  script_name(english:"Linux Distros Unpatched Vulnerability : CVE-2024-1313");

  script_set_attribute(attribute:"synopsis", value:
"The Linux/Unix host has one or more packages installed with a vulnerability that the vendor indicates will not be
patched.");
  script_set_attribute(attribute:"description", value:
"The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied
patch available.

  - It is possible for a user in a different organization from the owner of a snapshot to bypass authorization
    and delete a snapshot by issuing a DELETE request to /api/snapshots/<key> using its view key. This
    functionality is intended to only be available to individuals with the permission to write/edit to the
    snapshot in question, but due to a bug in the authorization logic, deletion requests issued by an
    unprivileged user in a different organization than the snapshot owner are treated as authorized. Grafana
    Labs would like to thank Ravid Mazon and Jay Chen of Palo Alto Research for discovering and disclosing
    this vulnerability. This issue affects Grafana: from 9.5.0 before 9.5.18, from 10.0.0 before 10.0.13, from
    10.1.0 before 10.1.9, from 10.2.0 before 10.2.6, from 10.3.0 before 10.3.5. (CVE-2024-1313)

Note that Nessus relies on the presence of the package as reported by the vendor.");
  script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/CVE-2024-1313");
  script_set_attribute(attribute:"solution", value:
"There is no known solution at this time.");
  script_set_attribute(attribute:"agent", value:"unix");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:N/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2024-1313");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_set_attribute(attribute:"vendor_unpatched", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2024/03/26");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/09/03");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:grafana");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl", "set_linux_os_id.nasl");
  script_require_keys("Host/cpu", "Host/local_checks_enabled", "global_settings/vendor_unpatched", "Host/OS/identifier");
  script_require_ports("Host/OS/Ubuntu Linux-16.04");

  exit(0);
}

if (!get_kb_item("global_settings/vendor_unpatched")) exit(0, "Unpatched Vulnerabilities Detection not active.");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (empty_or_null(get_one_kb_item("Host/Debian/dpkg-l"))) audit(AUDIT_PACKAGE_LIST_MISSING);

include('linux_unpatched.inc');

var distro_constraints_array = {
  "Ubuntu Linux-16.04": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "16.04",
        "pkgs": [
          {"reference": "grafana"}
        ]
      }
    ]
  }
};

var distro_constraints_values = linux_unpatched::get_distro_constraints(distro_constraints_arr:distro_constraints_array);
if (empty_or_null(distro_constraints_values)) audit(AUDIT_HOST_NOT, 'affected');
var report = linux_unpatched::check_unpatched_constraints(distro_constraints_values:distro_constraints_values);

if (!empty_or_null(report))
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : report
  );
  exit(0);
}
else
{
  audit(AUDIT_HOST_NOT, 'affected');
}

03 Sep 2025 00:00Current

7.4High risk

Vulners AI Score7.4

CVSS 3.16.5

EPSS0.00032

SSVC