=====================================================================

                            CERT-Renater

                  Note d'Information No. 2024/VULN108
_____________________________________________________________________

DATE                : 12/03/2024

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Grafana versions prior to 9.5.7,
                            10.0.12, 10.1.8, 10.2.5, 10.3.4.

=====================================================================
https://grafana.com/security/security-advisories/cve-2024-1442/
_____________________________________________________________________

User with permissions to create a data source can CRUD all data
sources
CVE ID: CVE-2024-1442
Date Published: March 7, 2024
Description:

A user with the permissions to create a data source can use Grafana
API to create a data source with UID set to *. Doing this will grant
the user access to read, query, edit and delete all data sources
within the organization.


Impacted Versions:

     8.5.0 < 9.5.7
     10.0.0 < 10.0.12
     10.1.0 < 10.1.8
     10.2.0 < 10.2.5
     10.3.0 < 10.3.4


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================