CVE-2024-8118

Advisory lineage Upstream: 0 Downstream: 5

Downstream

OPENSUSE-SU-2024:14431-1 SUSE-SU-2025:0524-1 SUSE-SU-2025:0525-1 SUSE-SU-2025:0545-1 UBUNTU-CVE-2024-8118

Deferred

Published: 26 Sept 2024, 18:46

Last modified:26 Sept 2024, 19:06

Vulnerability Summary

Overall Risk (default)

low

20/100

CVSS Score

5.1 MEDIUM

v4.0 (cve.org)

EPSS Score

0.1% LOW

0% probability +0.04%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

26 Sept 2024, 18:46

Published

Vulnerability first disclosed

26 Sept 2024, 19:06

Last Modified

Vulnerability information updated

Description

In Grafana, the wrong permission is applied to the alert rule write API endpoint, allowing users with permission to write external alert instances to also write alert rules.

CVSS Metrics

v4.0•MEDIUM•Score: 5.1CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
v4.0•MEDIUM•Score: 5.1CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

EPSS Trends

Current EPSS score: 0.10%• Percentile: 27%

Techniques & Countermeasures

CWE-653•Improper Isolation or Compartmentalization
The product does not properly compartmentalize or isolate functionality, processes, or resources that require different privilege levels, rights, or permissions.

Affected Systems

grafana•grafana
≥ 8.5.0, < 10.3.10 | ≥ 10.4.0, < 10.4.9 | ≥ 11.0.0, < 11.0.5 | ≥ 11.1.0, < 11.1.6 | ≥ 11.2.0, < 11.2.1

References (1)

https://grafana.com/security/security-advisories/cve-2024-8118/