Miggo Logo
Miggo Vulnerability Database
CVE-2024-6322

CVE-2024-6322: Grafana plugin data sources vulnerable to access control bypass

4.4

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-6322
GHSA ID
GHSA-hh8p-374f-qgr5
EPSS Score
0.31167%
CWE
CWE-266
Published
8/20/2024
Updated
8/20/2024
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/grafana/grafanago= 11.1.011.1.1
github.com/grafana/grafanago= 11.1.211.1.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from RBAC checks not being scoped to specific resources. The patch introduced GetDataSourceRouteEvaluator/GetPluginRouteEvaluator to add scope identifiers (datasource UID/plugin ID) to permission evaluations. The original functions used generic EvalPermission checks that didn't enforce resource-specific constraints, enabling cross-datasource privilege escalation when users had matching action permissions elsewhere.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

****ss *ontrol *or plu*in **t* sour**s prot**t** *y t** R*q**tions json *i*l* o* t** plu*in.json is *yp*ss** i* t** us*r or s*rvi** ***ount is *r*nt** *sso*i*t** ****ss to *ny ot**r **t* sour**, *s t** R*q**tions ****k w*s not s*op** to **** sp**i*i*

Reasoning

T** vuln*r**ility st*mm** *rom R*** ****ks not **in* s*op** to sp**i*i* r*sour**s. T** p*t** intro*u*** `**t**t*Sour**Rout**v*lu*tor`/`**tPlu*inRout**v*lu*tor` to *** s*op* i**nti*i*rs (**t*sour** UI*/plu*in I*) to p*rmission *v*lu*tions. T** ori*in*