CVE-2024-8118
Grafana alerting wrong permission on datasource rule write endpoint
EPSS 0.10%
Description
In Grafana, the wrong permission is applied to the alert rule write API endpoint, allowing users with permission to write external alert instances to also write alert rules.
How to fix CVE-2024-8118
To remediate CVE-2024-8118, upgrade the affected package to a fixed version below.
- Bitnami/grafana—upgrade to 10.4.9 or later
Is CVE-2024-8118 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 8.5.0, < 10.4.9, >= 11.0.0, < 11.2.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |