CVE-2024-1442: 
Grafana vulnerability analysis and mitigation

A vulnerability was discovered in Grafana (CVE-2024-1442) where a user with permissions to create a data source can use the Grafana API to create a data source with UID set to '*'. This vulnerability affects Grafana versions 8.5.0 < 9.5.7, 10.0.0 < 10.0.12, 10.1.0 < 10.1.8, 10.2.0 < 10.2.5, and 10.3.0 < 10.3.4. The vulnerability was publicly disclosed on March 7, 2024 (Grafana Advisory).

The vulnerability stems from an improper privilege management issue (CWE-269) where setting the UID to '*' via the Grafana API creates a security risk. The vulnerability has received a CVSS v3.1 base score of 6.0 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L, indicating network accessibility, low attack complexity, and high privileges required (Red Hat CVE).

When successfully exploited, this vulnerability allows an attacker to bypass access controls and gain unfettered access to all data sources within the organization. The impact includes the ability to read, query, edit, and delete all data sources, potentially leading to data breaches, manipulation, privacy violations, and compliance issues (Red Hat CVE).

Organizations should upgrade to the fixed versions of Grafana: 9.5.7 or later, 10.0.12 or later, 10.1.8 or later, 10.2.5 or later, or 10.3.4 or later. No alternative workarounds have been publicly documented (Grafana Advisory).