Vardan Torosyan

Name of the Vulnerable Software and Affected Versions: Grafana Enterprise versions 6.x through 6.7.5 Grafana Enterprise versions 7.x through 7.3.9 Grafana Enterprise versions 7.4.x through 7.4.4 Description: The team sync HTTP API in Grafana Enterprise presents an Incorrect Access Control issue. On Grafana instances using an external authentication service and having the EditorsCanAdmin feature enabled, this issue allows any authenticated user to add external groups to any existing team. This can be used to grant a user team permissions that the user isn't supposed to have. Recommendations: For Grafana Enterprise versions 6.x through 6.7.5, update to version 6.7.6 or later. For Grafana Enterprise versions 7.x through 7.3.9, update to version 7.3.10 or later. For Grafana Enterprise versions 7.4.x through 7.4.4, update to version 7.4.5 or later.