CVE-2024-6322

Summary

Access control for plugin data sources protected by the ReqActions json field of the plugin.json is bypassed if the user or service account is granted associated access to any other data source, as the ReqActions check was not scoped to each specific datasource. The account must have prior query access to the impacted datasource.

Affected Software

VendorProductVersion RangeStatus
GrafanaGrafana11.1.0 < 11.1.1affected
GrafanaGrafana11.1.2 < 11.1.3affected
GrafanaGrafana Enterprise11.1.0 < 11.1.1affected
GrafanaGrafana Enterprise11.1.2 < 11.1.3affected

Weaknesses

  • CWE-266: CWE-266

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References