=====================================================================

                                CERT-Renater

                     Note d'Information No. 2024/VULN149
_____________________________________________________________________

DATE                : 27/03/2024

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Grafana versions prior to
                      9.5.18, 10.0.13, 10.1.9, 10.2.6, 10.3.5.

=====================================================================
https://grafana.com/security/security-advisories/cve-2024-1313/
_____________________________________________________________________

Users outside an organization can delete a snapshot with its key
CVE ID: CVE-2024-1313
Date Published: March 26, 2024
Description:

It is possible for a user in a different organization from the owner
of a snapshot to bypass authorization and delete a snapshot by
issuing a DELETE request to /api/snapshots/ using its view key. This
functionality is intended to only be available to individuals with
the permission to write/edit to the snapshot in question, but due
to a bug in the authorization logic, deletion requests issued by an
unprivileged user in a different organization than the snapshot
owner are treated as authorized.

Grafana Labs would like to thank Ravid Mazon and Jay Chen of Palo
Alto Research for discovering and disclosing this vulnerability.

This issue affects Grafana: from 9.5.0 before 9.5.18, from 10.0.0
before 10.0.13, from 10.1.0 before 10.1.9, from 10.2.0 before
10.2.6, from 10.3.0 before 10.3.5.

Note: 10.4.x versions were not impacted by this vulnerability
due to the functionality in question having been refactored
entirely.


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================