PT-2021-17772 · Grafana+1 · Grafana Enterprise+2

Published

2021-03-22

Updated

2024-06-15

CVE-2021-28146

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions: Grafana Enterprise versions 7.4.0 through 7.4.4

Description: The team sync HTTP API in Grafana Enterprise has an Incorrect Access Control issue. On Grafana instances using an external authentication service, this issue allows any authenticated user to add external groups to existing teams, potentially granting a user team permissions that the user isn't supposed to have.

Recommendations: For versions 7.4.0 through 7.4.4, update to version 7.4.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the team sync HTTP API to minimize the risk of exploitation.

Fix

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-863

Related Identifiers

BIT-GRAFANA-2021-28146

CVE-2021-28146

OPENSUSE-SU-2021:1148-1

OPENSUSE-SU-2021:1162-1

OPENSUSE-SU-2021:2662-1

OPENSUSE-SU-2021:2675-1

OPENSUSE-SU-2021_1148-1

OPENSUSE-SU-2021_1162-1

OPENSUSE-SU-2021_2662-1

OPENSUSE-SU-2021_2675-1

OPENSUSE-SU-2024:10818-1

SUSE-SU-2021:2660-1

SUSE-SU-2021:2673-1

SUSE-SU-2021:2675-1

SUSE-SU-2021:3907-1

SUSE-SU-2021:3908-1

Affected Products

Grafana

Grafana Enterprise

Suse

PT-2021-17772 · Grafana+1 · Grafana Enterprise+2

CVE-2021-28146

Weakness Enumeration

Related Identifiers

Affected Products

References · 47