CVE-2024-1313 Overview
CVE-2024-1313 is an authorization bypass vulnerability in Grafana that allows a user from a different organization to delete snapshots they do not own. The vulnerability exists in the authorization logic for the snapshot deletion API endpoint (/api/snapshots/<key>). By issuing a DELETE request using a snapshot's view key, an unprivileged user in a different organization than the snapshot owner can bypass authorization checks and delete the snapshot.
This functionality is intended to only be available to individuals with write/edit permissions on the snapshot in question. However, due to a bug in the authorization logic, deletion requests issued by an unprivileged user in a different organization than the snapshot owner are incorrectly treated as authorized.
Critical Impact
Unauthorized users can delete Grafana snapshots belonging to other organizations, potentially causing data loss and disruption to monitoring workflows.
Affected Products
- Grafana versions 9.5.0 to 9.5.17
- Grafana versions 10.0.0 to 10.0.12
- Grafana versions 10.1.0 to 10.1.8
- Grafana versions 10.2.0 to 10.2.5
- Grafana versions 10.3.0 to 10.3.4
Discovery Timeline
- 2024-03-26 - CVE-2024-1313 published to NVD
- 2025-02-13 - Last updated in NVD database
Grafana Labs credited Ravid Mazon and Jay Chen of Palo Alto Research for discovering and disclosing this vulnerability.
Technical Details for CVE-2024-1313
Vulnerability Analysis
This vulnerability is classified as CWE-639: Authorization Bypass Through User-Controlled Key. The flaw resides in Grafana's multi-tenant architecture where snapshots can be shared across organizational boundaries using view keys.
The authorization check for snapshot deletion fails to properly validate that the requesting user belongs to the same organization as the snapshot owner. Instead, the system incorrectly authorizes deletion requests when a valid view key is provided, regardless of the requester's organizational membership.
In multi-organization Grafana deployments, snapshots are intended to be isolated between organizations with strict access controls. The view key mechanism exists to allow read-only access to snapshots, but the flawed authorization logic extends this permission to include deletion capabilities for users outside the owning organization.
Root Cause
The root cause is improper authorization logic in the snapshot deletion endpoint. When processing DELETE requests to /api/snapshots/<key>, the application fails to verify that the authenticated user has write/edit permissions within the same organization that owns the snapshot. The system incorrectly treats possession of a valid view key as sufficient authorization for deletion operations.
Attack Vector
The attack is network-based and requires low privileges (a valid Grafana user account in any organization). An attacker with access to a snapshot's view key can exploit this vulnerability by:
- Obtaining a snapshot's view key (which may be shared legitimately for read-only access)
- Authenticating to Grafana as a user in a different organization
- Sending a DELETE request to /api/snapshots/<view_key>
- The authorization check fails to validate organization membership, allowing the deletion
The vulnerability enables data integrity attacks where snapshots containing important dashboard states, configuration records, or historical data can be permanently deleted by unauthorized users.
Detection Methods for CVE-2024-1313
Indicators of Compromise
- Unexpected snapshot deletion events in Grafana audit logs
- DELETE requests to /api/snapshots/ endpoints from users in different organizations than the snapshot owner
- Multiple snapshot deletions occurring from a single user account across different organizational contexts
- Complaints from users about missing snapshots they did not delete
Detection Strategies
- Monitor Grafana API access logs for DELETE requests to /api/snapshots/<key> endpoints
- Implement alerting on snapshot deletion events and correlate with the requesting user's organization
- Review access patterns for cross-organization API activity
- Deploy SentinelOne Singularity to detect anomalous API access patterns and potential exploitation attempts
Monitoring Recommendations
- Enable detailed audit logging in Grafana to capture all snapshot-related API operations
- Configure alerts for any DELETE operations on snapshots by users outside the owning organization
- Implement network monitoring for unusual patterns of API requests to snapshot endpoints
- Regularly audit snapshot access logs and correlate with organizational membership
How to Mitigate CVE-2024-1313
Immediate Actions Required
- Upgrade Grafana to a patched version immediately: 9.5.18, 10.0.13, 10.1.9, 10.2.6, or 10.3.5 or later
- Audit recent snapshot deletions to identify any unauthorized activity
- Review and rotate snapshot view keys that may have been shared externally
- Restrict API access to Grafana instances using network-level controls until patching is complete
Patch Information
Grafana Labs has released security patches addressing this vulnerability. Organizations should upgrade to the following fixed versions:
- Grafana 9.5.18 or later (for 9.5.x series)
- Grafana 10.0.13 or later (for 10.0.x series)
- Grafana 10.1.9 or later (for 10.1.x series)
- Grafana 10.2.6 or later (for 10.2.x series)
- Grafana 10.3.5 or later (for 10.3.x series)
For detailed patch information, refer to the Grafana Security Advisory CVE-2024-1313. NetApp customers should also review the NetApp Security Advisory NTAP-20240524-0008.
Workarounds
- Implement network segmentation to restrict access to Grafana API endpoints from untrusted networks
- Use a reverse proxy or API gateway to add additional authorization checks on snapshot deletion endpoints
- Temporarily disable public snapshot sharing until patching is complete
- Configure Grafana to require additional authentication for destructive API operations
# Example: Restrict access to Grafana API endpoints using nginx
location /api/snapshots {
# Allow only specific IP ranges to access snapshot API
allow 10.0.0.0/8;
allow 192.168.0.0/16;
deny all;
proxy_pass http://grafana:3000;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
