CVE-2024-8118 MEDIUM

CVE-2024-8118: Grafana alerting wrong permission on datasource rule write endpoint

Vendor Grafana
Product Grafana
Weakness CWE-653
Published September 26, 2024
Last update September 26, 2024

CVSS base score

5.1/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

What the vulnerability does

01Description

In Grafana, the wrong permission is applied to the alert rule write API endpoint, allowing users with permission to write external alert instances to also write alert rules.

Key dates

02Disclosure timeline

September 26, 2024 CVE published
September 26, 2024 Record updated