CVE-2024-8118

EPSS 0.10%

Grafana alerting wrong permission on datasource rule write endpoint

Published: 4/14/2025Modified: 5/20/2025

Description

In Grafana, the wrong permission is applied to the alert rule write API endpoint, allowing users with permission to write external alert instances to also write alert rules.

Affected packages (1)

Bitnami/grafana>= 8.5.0, < 10.4.9, >= 11.0.0, < 11.2.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

References (2)

WEBhttps://grafana.com/security/security-advisories/cve-2024-8118/
WEBhttps://nvd.nist.gov/vuln/detail/CVE-2024-8118