Products
Grafana
Source
security@grafana.com
Tags
CVE-2024-6322 details
Published : Aug. 20, 2024, 6:15 p.m.
Last Modified : Aug. 20, 2024, 6:15 p.m.
Last Modified : Aug. 20, 2024, 6:15 p.m.
Description
Access control for plugin data sources protected by the ReqActions json field of the plugin.json is bypassed if the user or service account is granted associated access to any other data source, as the ReqActions check was not scoped to each specific datasource. The account must have prior query access to the impacted datasource.
CVSS Score
1 | 2 | 3 | 4.4 | 5 | 6 | 7 | 8 | 9 | 10 |
---|
Weakness
Weakness | Name | Description |
---|---|---|
CWE-266 | Incorrect Privilege Assignment | A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. |
CVSS Data
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
HIGH
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
LOW
Base Score
4.4
Exploitability Score
1.3
Impact Score
2.7
Base Severity
MEDIUM
Vector String : CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:L
References
URL | Source |
---|---|
https://grafana.com/security/security-advisories/cve-2024-6322/ | security@grafana.com |
This website uses the NVD API, but is not approved or certified by it.