User with permissions to create a data source can CRUD all data sources
CVE ID: CVE-2024-1442
Date Published: March 7, 2024
Description:
A user with the permissions to create a data source can use Grafana API to create a data source with UID set to *. Doing this will grant the user access to read, query, edit and delete all data sources within the organization.
Impacted Versions:
- 8.5.0 < 9.5.7
- 10.0.0 < 10.0.12
- 10.1.0 < 10.1.8
- 10.2.0 < 10.2.5
- 10.3.0 < 10.3.4