Bugzilla – Bug 1222155
VUL-0: CVE-2024-1313: grafana: authorization bypass on snapshot delete endpoint of different organization
Last modified: 2024-07-03 05:44:19 UTC
It is possible for a user in a different organization from the owner of a snapshot to bypass authorization and delete a snapshot by issuing a DELETE request to /api/snapshots/<key> using its view key. This functionality is intended to only be available to individuals with the permission to write/edit to the snapshot in question, but due to a bug in the authorization logic, deletion requests issued by an unprivileged user in a different organization than the snapshot owner are treated as authorized. Grafana Labs would like to thank Ravid Mazon and Jay Chen of Palo Alto Research for discovering and disclosing this vulnerability. This issue affects Grafana: from 9.5.0 before 9.5.18, from 10.0.0 before 10.0.13, from 10.1.0 before 10.1.9, from 10.2.0 before 10.2.6, from 10.3.0 before 10.3.5. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-1313 https://www.cve.org/CVERecord?id=CVE-2024-1313 https://grafana.com/security/security-advisories/cve-2024-1313/ https://bugzilla.redhat.com/show_bug.cgi?id=2271903 https://github.com/grafana/grafana/pull/83111 Patch: main - https://github.com/grafana/grafana/pull/83111/commits/acac792974d544c27ab390a44e0f8602e166c424 9.5 - https://github.com/grafana/grafana/commit/f4c5a603b25f69127bfe065381ff454e55b334c5
According to the SLA bugfix should get released with SUSE Manager 4.3.12. Last day for changes is 2024-04-09.
Package updated to version 9.5.18 has been submitted to SUMA 4.3 development project and goes through QA. Planned submission to SLE codestreams on 2024-05-06.
SUSE-SU-2024:1530-1: An update that solves two vulnerabilities and contains one feature can now be installed. Category: security (moderate) Bug References: 1219912, 1222155 CVE References: CVE-2023-6152, CVE-2024-1313 Jira References: MSQA-760 Maintenance Incident: [SUSE:Maintenance:33419](https://smelt.suse.de/incident/33419/) Sources used: SUSE Package Hub 15 15-SP5 (src): grafana-9.5.18-150200.3.56.1 openSUSE Leap 15.5 (src): mybatis-3.5.6-150200.5.6.1, grafana-9.5.18-150200.3.56.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:1509-1: An update that solves 15 vulnerabilities, contains one feature and has four security fixes can now be installed. Category: security (important) Bug References: 1008037, 1008038, 1010940, 1019021, 1038785, 1059235, 1099805, 1166389, 1171823, 1174145, 1174302, 1175993, 1177948, 1216854, 1219002, 1219912, 1221092, 1221465, 1222155 CVE References: CVE-2016-8614, CVE-2016-8628, CVE-2016-8647, CVE-2016-9587, CVE-2017-7550, CVE-2018-10874, CVE-2020-10744, CVE-2020-14330, CVE-2020-14332, CVE-2020-14365, CVE-2020-1753, CVE-2023-5764, CVE-2023-6152, CVE-2024-0690, CVE-2024-1313 Jira References: MSQA-760 Maintenance Incident: [SUSE:Maintenance:33434](https://smelt.suse.de/incident/33434/) Sources used: openSUSE Leap 15.5 (src): spacecmd-4.3.27-150000.3.116.2, POS_Image-JeOS7-0.1.1710765237.46af599-150000.1.21.2, ansible-2.9.27-150000.1.17.2, POS_Image-Graphical7-0.1.1710765237.46af599-150000.1.21.2, dracut-saltboot-0.1.1710765237.46af599-150000.1.53.2, golang-github-prometheus-promu-0.14.0-150000.3.18.2 SUSE Manager Client Tools for SLE 15 (src): POS_Image-JeOS7-0.1.1710765237.46af599-150000.1.21.2, ansible-2.9.27-150000.1.17.2, spacewalk-client-tools-4.3.19-150000.3.89.2, uyuni-common-libs-4.3.10-150000.1.39.2, uyuni-proxy-systemd-services-4.3.12-150000.1.21.2, mgr-daemon-4.3.9-150000.1.47.2, spacewalk-koan-4.3.6-150000.3.33.2, spacecmd-4.3.27-150000.3.116.2, POS_Image-Graphical7-0.1.1710765237.46af599-150000.1.21.2, dracut-saltboot-0.1.1710765237.46af599-150000.1.53.2, grafana-9.5.18-150000.1.63.2 SUSE Manager Client Tools for SLE Micro 5 (src): uyuni-proxy-systemd-services-4.3.12-150000.1.21.2, dracut-saltboot-0.1.1710765237.46af599-150000.1.53.2 SUSE Package Hub 15 15-SP5 (src): golang-github-prometheus-promu-0.14.0-150000.3.18.2 SUSE Manager Proxy 4.3 Module 4.3 (src): ansible-2.9.27-150000.1.17.2, uyuni-proxy-systemd-services-4.3.12-150000.1.21.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:1508-1: An update that solves two vulnerabilities, contains three features and has one security fix can now be installed. Category: security (moderate) Bug References: 1219912, 1221465, 1222155 CVE References: CVE-2023-6152, CVE-2024-1313 Jira References: MSQA-760, PED-7893, PED-7928 Maintenance Incident: [SUSE:Maintenance:33420](https://smelt.suse.de/incident/33420/) Sources used: SUSE Manager Client Tools for SLE 12 (src): golang-github-prometheus-promu-0.14.0-1.18.1, spacecmd-4.3.27-38.139.1, spacewalk-client-tools-4.3.19-52.98.1, uyuni-common-libs-4.3.10-1.39.1, golang-github-prometheus-node_exporter-1.7.0-1.30.2, spacewalk-koan-4.3.6-24.36.1, golang-github-prometheus-alertmanager-0.26.0-1.27.2, mgr-daemon-4.3.9-1.47.1, grafana-9.5.18-1.63.1 SUSE Linux Enterprise High Performance Computing 12 SP5 (src): golang-github-prometheus-node_exporter-1.7.0-1.30.2 SUSE Linux Enterprise Server 12 SP5 (src): golang-github-prometheus-node_exporter-1.7.0-1.30.2 SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): golang-github-prometheus-node_exporter-1.7.0-1.30.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:1815-1: An update that solves one vulnerability, contains one feature and has three security fixes can now be installed. Category: security (moderate) Bug References: 1221465, 1222155, 1222277, 1222731 CVE References: CVE-2024-1313 Jira References: MSQA-775 Maintenance Incident: [SUSE:Maintenance:33710](https://smelt.suse.de/incident/33710/) Sources used: SUSE Manager Client Tools Beta for SLE 12 (src): uyuni-common-libs-5.0.3-3.39.3, mgr-push-5.0.2-4.24.5, grafana-9.5.18-4.30.4, spacecmd-5.0.6-41.51.3, uyuni-tools-0.1.9-3.11.4 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:1814-1: An update that solves one vulnerability, contains one feature and has three security fixes can now be installed. Category: security (moderate) Bug References: 1221465, 1222155, 1222277, 1222731 CVE References: CVE-2024-1313 Jira References: MSQA-775 Maintenance Incident: [SUSE:Maintenance:33711](https://smelt.suse.de/incident/33711/) Sources used: SUSE Manager Client Tools Beta for SLE Micro 5 (src): uyuni-tools-0.1.9-159000.3.11.5, golang-github-prometheus-node_exporter-1.7.0-159000.6.5.5 SUSE Manager Client Tools Beta for SLE 15 (src): uyuni-tools-0.1.9-159000.3.11.5, mgr-push-5.0.2-159000.4.24.5, spacecmd-5.0.6-159000.6.51.4, uyuni-common-libs-5.0.3-159000.3.39.3, grafana-9.5.18-159000.4.33.4 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:1530-2: An update that solves two vulnerabilities and contains one feature can now be installed. Category: security (moderate) Bug References: 1219912, 1222155 CVE References: CVE-2023-6152, CVE-2024-1313 Jira References: MSQA-760 Maintenance Incident: [SUSE:Maintenance:33419](https://smelt.suse.de/incident/33419/) Sources used: openSUSE Leap 15.6 (src): grafana-9.5.18-150200.3.56.1, mybatis-3.5.6-150200.5.6.1 SUSE Package Hub 15 15-SP6 (src): grafana-9.5.18-150200.3.56.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.