CVE-2024-6322 Vulnerability Details

  /     /     /  

CVE-2024-6322 Metadata Quick Info

CVE Published: 20/08/2024 | CVE Updated: 03/09/2024 | CVE Year: 2024
Source: GRAFANA | Vendor: Grafana | Product: Grafana
Status : PUBLISHED

---

CVE-2024-6322 Description

Access control for plugin data sources protected by the ReqActions json field of the plugin.json is bypassed if the user or service account is granted associated access to any other data source, as the ReqActions check was not scoped to each specific datasource. The account must have prior query access to the impacted datasource.

Metrics

CVSS Version: 3.1 | Base Score: 4.4 MEDIUM
Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:L

l➤ Exploitability Metrics:
    Attack Vector (AV)* NETWORK
    Attack Complexity (AC)* HIGH
    Privileges Required (PR)* HIGH
    User Interaction (UI)* NONE
    Scope (S)* CHANGED

l➤ Impact Metrics:
    Confidentiality Impact (C)* NONE
    Integrity Impact (I)* LOW
    Availability Impact (A)* LOW

Weakness Enumeration (CWE)

CWE-ID: CWE-266
CWE Name: CWE-266
Source: Grafana

Common Attack Pattern Enumeration and Classification (CAPEC)

CAPEC-ID:
CAPEC Description:


Source: NVD (National Vulnerability Database).