x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-hh8p-374f-qgr5 #3079

GoVulnBot · 2024-08-20T21:01:16Z

Advisory GHSA-hh8p-374f-qgr5 references a vulnerability in the following Go modules:

Module
github.com/grafana/grafana

Description:
Access control for plugin data sources protected by the ReqActions json field of the plugin.json is bypassed if the user or service account is granted associated access to any other data source, as the ReqActions check was not scoped to each specific datasource. The account must have prior query access to the impacted datasource.

References:

ADVISORY: GHSA-hh8p-374f-qgr5
ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2024-6322
FIX: grafana/grafana@4cb3ba5
FIX: grafana/grafana@9cdba08
WEB: https://grafana.com/security/security-advisories/cve-2024-6322

Cross references:

github.com/grafana/grafana appears in 50 other report(s):
- data/excluded/GO-2022-0259.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: CVE-2021-41244 #259) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0275.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: CVE-2021-43798 #275) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0276.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: CVE-2021-43813 #276) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0277.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: CVE-2021-43815 #277) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0296.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: CVE-2022-21673 #296) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0311.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: CVE-2022-21702 #311) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0312.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: CVE-2022-21703 #312) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0313.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: CVE-2022-21713 #313) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0342.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: CVE-2018-18623 #342) NOT_IMPORTABLE
- data/excluded/GO-2022-0707.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana/pkg/api: GHSA-rgjg-66cx-5x9m #707) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0753.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana/pkg/api/avatar: GHSA-wc9w-wvq2-ffm9 #753) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0773.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: CVE-2021-27358, GHSA-h5rh-w6vm-9ghc #773 #773) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0934.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: CVE-2021-39226, GHSA-69j6-29vr-p3j9 #934) NOT_IMPORTABLE
- data/excluded/GO-2023-1599.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-7rqg-hjwc-6mjf #1599) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1603.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-hjv9-hm2f-rpcj #1603) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1604.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-xw5p-hw8j-xg4q #1604) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1673.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-3cgw-hfw7-wc7j #1673) NOT_A_VULNERABILITY
- data/excluded/GO-2023-1674.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-qrrg-gw7w-vp76 #1674) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1680.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-7phr-6cc9-4m5q #1680) NOT_GO_CODE
- data/excluded/GO-2023-1843.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-wm7r-3qxj-5xgq #1843) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1844.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-x2w4-c67p-g44j #1844) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1856.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-cvm3-pp2j-chr3 #1856) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1875.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-mpv3-g8m3-3fjc #1875) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1964.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-x5fh-fvvr-892f #1964) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-2120.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-fw9c-75hh-89p6 #2120) EFFECTIVELY_PRIVATE
- data/excluded/GO-2024-2551.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-3hv4-r2fm-h27f #2551) EFFECTIVELY_PRIVATE
- data/reports/GO-2024-2483.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-6wh2-8hw7-jw94 #2483)
- data/reports/GO-2024-2510.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-v5gq-qvjq-8p53 #2510)
- data/reports/GO-2024-2513.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-3jq7-8ph8-63xm #2513)
- data/reports/GO-2024-2515.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-7m2x-qhrq-rp8h #2515)
- data/reports/GO-2024-2516.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-9hv8-4frf-cprf #2516)
- data/reports/GO-2024-2517.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-ccmg-w4xm-p28v #2517)
- data/reports/GO-2024-2519.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-m25m-5778-fm22 #2519)
- data/reports/GO-2024-2520.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-mvpr-q6rh-8vrp #2520)
- data/reports/GO-2024-2523.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-xr3x-62qw-vc4w #2523)
- data/reports/GO-2024-2629.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-5mxf-42f5-j782 #2629)
- data/reports/GO-2024-2661.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana/pkg/tsdb/mysql: GHSA-4pwp-cx67-5cpx #2661)
- data/reports/GO-2024-2697.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-67rv-qpw2-6qrr #2697)
- data/reports/GO-2024-2843.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-2x6g-h2hg-rq84 #2843)
- data/reports/GO-2024-2844.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-3p62-42x7-gxg5 #2844)
- data/reports/GO-2024-2847.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-ff5c-938w-8c9q #2847)
- data/reports/GO-2024-2848.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-gj7m-853r-289r #2848)
- data/reports/GO-2024-2851.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-jv32-5578-pxjc #2851)
- data/reports/GO-2024-2852.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-mx47-6497-3fv2 #2852)
- data/reports/GO-2024-2854.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-p978-56hq-r492 #2854)
- data/reports/GO-2024-2855.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-rhxj-gh46-jvw8 #2855)
- data/reports/GO-2024-2856.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-vqc4-mpj8-jxch #2856)
- data/reports/GO-2024-2857.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-vw7q-p2qg-4m5f #2857)
- data/reports/GO-2024-2858.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-x744-mm8v-vpgr #2858)
- data/reports/GO-2024-2867.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-4724-7jwc-3fpw #2867)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/grafana/grafana
      non_go_versions:
        - introduced: TODO (earliest fixed "11.1.3", vuln range "= 11.1.2")
        - introduced: TODO (earliest fixed "11.1.1", vuln range "= 11.1.0")
      vulnerable_at: 5.4.5+incompatible
summary: Grafana plugin data sources vulnerable to access control bypass in github.com/grafana/grafana
cves:
    - CVE-2024-6322
ghsas:
    - GHSA-hh8p-374f-qgr5
references:
    - advisory: https://github.com/advisories/GHSA-hh8p-374f-qgr5
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-6322
    - fix: https://github.com/grafana/grafana/commit/4cb3ba5d1a7ab8b9676034e89dada2fcde1766ef
    - fix: https://github.com/grafana/grafana/commit/9cdba084a9100c6b11d32eef9d2bd53656c6964a
    - web: https://grafana.com/security/security-advisories/cve-2024-6322
notes:
    - fix: 'module merge error: could not merge versions of module github.com/grafana/grafana: invalid or non-canonical semver version (found TODO (earliest fixed "11.1.3", vuln range "= 11.1.2"))'
source:
    id: GHSA-hh8p-374f-qgr5
    created: 2024-08-20T21:01:15.675519754Z
review_status: UNREVIEWED

The text was updated successfully, but these errors were encountered:

gopherbot · 2024-08-21T14:31:09Z

Change https://go.dev/cl/607335 mentions this issue: data/reports: add 5 unreviewed reports

tatianab added the triaged label Aug 21, 2024

gopherbot closed this as completed in 6f05161 Aug 22, 2024

This was referenced Oct 25, 2024

x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-q99m-qcv4-fpm7 #3215

Closed

x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-66c4-2g2v-54qw #3240

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-hh8p-374f-qgr5 #3079

x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-hh8p-374f-qgr5 #3079

GoVulnBot commented Aug 20, 2024

gopherbot commented Aug 21, 2024

x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-hh8p-374f-qgr5 #3079

x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-hh8p-374f-qgr5 #3079

Comments

GoVulnBot commented Aug 20, 2024

gopherbot commented Aug 21, 2024