The Unit 42 research report exposes a new Broken Object-Level Authorization (BOLA) vulnerability affecting Grafana versions, leading to a significant impact on the platform’s integrity. Assigned as CVE-2024-1313 with a CVSS score of 6.5, this vulnerability enables low-privileged Grafana users to delete dashboard snapshots belonging to other organizations, jeopardizing the system’s integrity. Exploiting the vulnerability merely requires knowledge of the snapshot’s key, raising concerns about unauthorized access and data compromise.
In addition to this critical vulnerability, the report also points out an endpoint allowing any Grafana user to create snapshot images without enforcing complexity checks on self-assigned secret keys. Although not deemed vulnerabilities by Grafana, these issues potentially enable denial-of-service attacks or attempts to brute-force weak secrets to access or delete snapshots held by other users. The report provides detailed technical analysis, preconditions, impacts, and practical advice on solutions and mitigations, underscoring the urgency of proactive security measures.
Prisma Cloud customers using Web-Application and API Security (WAAS) are provided with additional protection against these threats through a new custom rule, mitigating the risks associated with snapshots using low-complexity keys in specific HTTP/s requests. The comprehensive analysis highlights the pressing need for system upgrades, proactive security measures, and customer guidance to address the identified vulnerabilities effectively and mitigate potential risks.
