CVE-2024-1313: BOLA Flaw in Grafana Threatens Dashboard Integrity – Patch Immediately
Organizations relying on Grafana for essential data visualizations must prioritize immediate patching following the discovery of a Broken Object Level Authorization (BOLA) vulnerability (CVE-2024-1313). Detected by Ravid Mazon and Jay Chen of Palo Alto Research, this flaw could allow unauthorized users to maliciously delete snapshots, potentially disrupting dashboards, compromising data integrity, and hindering business operations.
Broken Object Level Authorization (BOLA) vulnerabilities arise when a system’s access controls fail to properly verify whether a user has the necessary permissions before allowing modification or deletion of data objects. In Grafana, this vulnerability could enable attackers to bypass security mechanisms and directly manipulate dashboard snapshots.
This newly discovered vulnerability targets Grafana versions spanning from 9.5.0 to the pre-patched releases in its various series up to 10.3.5. At its core, CVE-2024-1313 allows low-privileged users to delete dashboard snapshots belonging to other organizations by exploiting the snapshot’s keys.
With a CVSS score of 6.5, the vulnerability’s exploitation is alarmingly straightforward: knowledge of the snapshot’s key is all that is needed.
CVE-2024-1313 exposes a vulnerability in Grafana, allowing any user, even those outside the snapshot owner’s organization, to delete a dashboard snapshot simply by knowing its key and issuing a DELETE request to the API.
Without proper permissions (including users with “No Basic Role”), anyone can potentially delete any Grafana snapshot, even those created by administrators, simply by knowing the snapshot’s key or URL. This vulnerability can lead to data loss or disrupt operations, but it’s important to note that attackers within the same organization cannot exploit this flaw to delete snapshots.
In response to Unit 42’s findings, Grafana has promptly issued patches across the affected versions, urging users to upgrade (10.4.x, 10.3.5, 10.2.6, 10.1.9, or 9.5.18) to safeguard their data environments.
