CGA-fw4g-9mf4-p6pc

Published

Last updated

https://images.chainguard.dev/security/CGA-fw4g-9mf4-p6pc

Package

grafana-11.1

Latest Update

Fixed

Fixed Version

11.1.3-r0

Aliases

CVE-2024-6322
GHSA-hh8p-374f-qgr5

Severity

4.4

Medium

CVSS V3

Summary

Grafana plugin data sources vulnerable to access control bypass

Description

Access control for plugin data sources protected by the ReqActions json field of the plugin.json is bypassed if the user or service account is granted associated access to any other data source, as the ReqActions check was not scoped to each specific datasource. The account must have prior query access to the impacted datasource.

References

https://nvd.nist.gov/vuln/detail/CVE-2024-6322
https://github.com/advisories/GHSA-hh8p-374f-qgr5
https://github.com/grafana/grafana/commit/4cb3ba5d1a7ab8b9676034e89dada2fcde1766ef
https://github.com/grafana/grafana/commit/9cdba084a9100c6b11d32eef9d2bd53656c6964a
https://github.com/grafana/grafana
https://grafana.com/security/security-advisories/cve-2024-6322

Updates

Advisories are based on vulnerability information provided by Grype from Anchore. Learn how Chainguard creates security advisories.

CGA-fw4g-9mf4-p6pc

Severity

Summary

Description

References

Updates

Product

Why Chainguard

Customers

Company

Resources