BIT-GRAFANA-2024-1313 Users outside an organization can delete a snapshot with its key

It is possible for a user in a different organization from the owner of a snapshot to bypass authorization and delete a snapshot by issuing a DELETE request to /api/snapshots/ using its view key. This functionality is intended to only be available to individuals with the permission to write/edit ...

CVE-2024-1313

CVE-2024-1313 is confirmed with concrete details in connected docs: Grafana versions affected are 9.5.0–9.5.17, 10.0.0–10.0.12, 10.1.0–10.1.8, 10.2.0–10.2.5, and 10.3.0–10.3.4. The issue is an authorization bypass allowing a user from a different organization to delete a snapshot by sending DELET...

CVE-2024-1313 Users outside an organization can delete a snapshot with its key

It is possible for a user in a different organization from the owner of a snapshot to bypass authorization and delete a snapshot by issuing a DELETE request to /api/snapshots/ using its view key. This functionality is intended to only be available to individuals with the permission to write/edit ...