6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
6.7 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
9.0%
Grafana vulnerable to Authorization Bypass Through User-Controlled Key. The vulnerability is due to insufficient validation of organization IDs in the DeleteDashboardSnapshot
within dashboard_snapshot.go
. This allows an attacker to bypass authorization and delete a snapshot by sending a DELETE request to /api/snapshots/
with its view key.
github.com/advisories/GHSA-mh7p-8m2f-qrm6
github.com/grafana/grafana/commit/0dd44921cf9eb7f582f3aa5032ea9dd01461348a
github.com/grafana/grafana/commit/783cbd8a148eb0c0a017a01c0dbe1138fe5e8e24
github.com/grafana/grafana/commit/9c2ce6255bb326364c83384306356a63896c8601
github.com/grafana/grafana/commit/d80f83be011232ad02363c93dfedecdd23aeb098
github.com/grafana/grafana/commit/f4c5a603b25f69127bfe065381ff454e55b334c5
grafana.com/security/security-advisories/cve-2024-1313/
security.netapp.com/advisory/ntap-20240524-0008/
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
6.7 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
9.0%