{"id":"CVE-2024-1442","summary":"User with permissions to create a data source can CRUD all data sources","details":" A user with the permissions to create a data source can use Grafana API to create a data source with UID set to *.\nDoing this will grant the user access to read, query, edit and delete all data sources within the organization.\n","aliases":["BIT-grafana-2024-1442","GHSA-5mxf-42f5-j782","GO-2024-2629"],"modified":"2026-05-28T04:09:25.468983744Z","published":"2024-03-07T17:45:43.993Z","related":["CGA-ph6x-2757-469v"],"database_specific":{"cna_assigner":"GRAFANA","unresolved_ranges":[{"source":"AFFECTED_FIELD","extracted_events":[{"introduced":"8.5.0"},{"fixed":"9.5.7"},{"introduced":"10.0.0"},{"fixed":"10.0.12"},{"introduced":"10.1.0"},{"fixed":"10.1.8"},{"introduced":"10.2.0"},{"fixed":"10.2.5"},{"introduced":"10.3.0"},{"fixed":"10.3.4"}]}],"cwe_ids":["CWE-269"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/1xxx/CVE-2024-1442.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/1xxx/CVE-2024-1442.json"},{"type":"ADVISORY","url":"https://grafana.com/security/security-advisories/cve-2024-1442/"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-1442"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20241122-0007/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/grafana/grafana","events":[{"introduced":"6134e3cf35a99c7dd3041b7ececb47cb7619ba9a"},{"fixed":"d2bfe3cc0bfb304d82548c94b6d4e348ec40005e"},{"introduced":"81d85ce8028dc54188e1f4482837d28f5fc7c797"},{"fixed":"4178363b4924405e546cc0d636029b59a8b8fef2"},{"introduced":"ff85ec33c56ffe567e6bde27473d9493eb70c743"},{"fixed":"8e1826409dffb1b6e9653ff0c0dd5689427ed48a"},{"introduced":"ae830f687450b8a0aca94ab2d72cc08853a80fff"},{"fixed":"ef29c153428e7bd5d53f54d564c5d5a51fd05124"},{"introduced":"e010fbb08cfcd444924bc674035ac6286d8cdb88"},{"fixed":"5bde27379c62c22183dd5e9deb7e66d90fada639"}],"database_specific":{"extracted_events":[{"introduced":"8.5.0"},{"fixed":"9.5.7"},{"introduced":"10.0.0"},{"fixed":"10.0.12"},{"introduced":"10.1.0"},{"fixed":"10.1.8"},{"introduced":"10.2.0"},{"fixed":"10.2.5"},{"introduced":"10.3.0"},{"fixed":"10.3.4"}],"source":"CPE_RANGE","cpe":"cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*"}}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-1442.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L"}]}