AIKIDO-2024-10459

grafana-enterprise is vulnerable to Improper Isolation or Compartmentalization

Improper Isolation or CompartmentalizationCVE-2024-8118 Published Nov 20, 2024

Medium Risk

This Affects:

grafana-enterprise

8.5.0 - 10.3.9

Fixed in 10.3.10

10.4.0 - 10.4.8

Fixed in 10.4.9

11.0.0 - 11.0.4

Fixed in 11.0.5

11.1.0 - 11.1.5

Fixed in 11.1.6

11.2.0 - 11.2.0

Fixed in 11.2.1

Are you affected? Scan for Free

TL;DR

Affected versions of this package are vulnerable to improper isolation and compartmentalization of permissions. In Grafana, incorrect permissions are applied to the alert rule write API endpoint, allowing users who have permission to write external alert instances to also modify alert rules. This flaw compromises the principle of least privilege by granting users unintended access, potentially leading to unauthorized changes in alert configurations and impacting the reliability and security of the monitoring system.

Who does this affect?

You are affected if you are using a version which is within vulnerability ranges

Background info

grafana-enterprise is vulnerable to Improper Isolation or Compartmentalization in versions 8.5.0 - 10.3.9, 10.4.0 - 10.4.8, 11.0.0 - 11.0.4, 11.1.0 - 11.1.5 and 11.2.0 - 11.2.0.