CVE-2024-10452

Aliases:GHSA-66c4-2g2v-54qwBIT-grafana-2024-10452GO-2024-3240

Advisory lineage Upstream: 0 Downstream: 4

Downstream

OPENSUSE-SU-2024:0350-1 OPENSUSE-SU-2024:14458-1 SUSE-SU-2024:3950-1 UBUNTU-CVE-2024-10452

Analyzed

Published: 29 Oct 2024, 15:16

Last modified:29 Oct 2024, 15:35

Vulnerability Summary

Overall Risk (default)

low

11/100

CVSS Score

2.7 LOW

v3.1 (nvd)

EPSS Score

0.22% LOW

0% probability 0.00%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

29 Oct 2024, 15:16

Published

Vulnerability first disclosed

29 Oct 2024, 15:35

Last Modified

Vulnerability information updated

Description

Organization admins can delete pending invites created in an organization they are not part of.

CVSS Metrics

v4.0•LOW•Score: 2.1CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
v3.1•LOW•Score: 2.2CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N
v3.1•LOW•Score: 2.7CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

EPSS Trends

Current EPSS score: 0.22%• Percentile: 44%

Techniques & Countermeasures

CWE-639•Authorization Bypass Through User-Controlled Key
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Affected Systems

github.com/grafana•grafana
≤ 10.4.0 | all
grafana•grafana
10.4.0