6

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-1442

CVE-2024-1442: Grafana's users with permissions to create a data source can CRUD all data sources

A user with the permissions to create a data source can use Grafana API to create a data source with UID set to *. Doing this will grant the user access to read, query, edit and delete all data sources within the organization.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2024-1442

CVE-2024-1442:

6

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/grafana/grafana	go	>= 8.5.0, < 9.5.7	9.5.7
github.com/grafana/grafana	go	>= 10.0.0, < 10.0.12	10.0.12
github.com/grafana/grafana	go	>= 10.1.0, < 10.1.8	10.1.8
github.com/grafana/grafana	go	>= 10.2.0, < 10.2.5	10.2.5
github.com/grafana/grafana	go	>= 10.3.0, < 10.3.4	10.3.4

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper UID validation in data source creation flow. While exact code diffs aren't available, the pattern matches API handlers and service layer functions responsible for processing UID parameters. The first function likely accepts the wildcard UID from API requests, while the second persists it without verifying if the user should have organization-wide access. Together they enable privilege escalation through UID='*' assignment, consistent with CWE-269's improper privilege management description.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

6

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-1442: Grafana's users with permissions to create a data source can CRUD all data sources

CVE-2024-1442:

6

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2024-1442: Grafana's users with permissions to create a data source can CRUD all data sources

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

Basic Information

Basic Information

6

6

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI