SICK Grafana OSS Access Control Vulnerability Allowing Deletion of Server Administrator Accounts

A vulnerability in SICK Grafana OSS has been identified, where an Organization administrator can permanently delete the Server administrator account. This issue arises in the DELETE /api/org/users/ endpoint and can be exploited if an Organization administrator exists and the Server administrator is either not part of any organization or part of the same organization as the Organization administrator. The impact of this vulnerability is significant, as it allows for the complete removal of administrative control over the Grafana instance, rendering it unmanageable and affecting all users, organizations, and teams within the instance.

Impact

Exploitation of this vulnerability allows Organization administrators to permanently delete Server administrator accounts. If the only Server administrator is removed, the Grafana instance becomes unmanageable, with no super-user permissions remaining, leading to a complete loss of administrative control.

Remediation

Users are strongly recommended to upgrade to the latest release of SICK Incoming Goods Suite (version 1.2.1 or higher).