User with permissions to create a data source can CRUD all data sources

CVE ID: CVE-2024-1442

Date Published: March 7, 2024

Description:

A user with the permissions to create a data source can use Grafana API to create a data source with UID set to *. Doing this will grant the user access to read, query, edit and delete all data sources within the organization.

Impacted Versions:

  • 8.5.0 < 9.5.7
  • 10.0.0 < 10.0.12
  • 10.1.0 < 10.1.8
  • 10.2.0 < 10.2.5
  • 10.3.0 < 10.3.4