CVE-2021-28147

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions: Grafana Enterprise versions 6.x through 6.7.5 Grafana Enterprise versions 7.x through 7.3.9 Grafana Enterprise versions 7.4.x through 7.4.4

Description: The team sync HTTP API in Grafana Enterprise presents an Incorrect Access Control issue. On Grafana instances using an external authentication service and having the EditorsCanAdmin feature enabled, this issue allows any authenticated user to add external groups to any existing team. This can be used to grant a user team permissions that the user isn't supposed to have.

Recommendations: For Grafana Enterprise versions 6.x through 6.7.5, update to version 6.7.6 or later. For Grafana Enterprise versions 7.x through 7.3.9, update to version 7.3.10 or later. For Grafana Enterprise versions 7.4.x through 7.4.4, update to version 7.4.5 or later.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

ALT-PU-2021-1708

ALT-PU-2022-1177

ALT-PU-2022-1249

BIT-GRAFANA-2021-28147

CVE-2021-28147

OESA-2021-1445

OPENSUSE-SU-2021:1148-1

OPENSUSE-SU-2021:1162-1

OPENSUSE-SU-2021:2662-1

OPENSUSE-SU-2021:2675-1

OPENSUSE-SU-2021_1148-1

OPENSUSE-SU-2021_1162-1

OPENSUSE-SU-2021_2662-1

OPENSUSE-SU-2021_2675-1

SUSE-SU-2021:2660-1

SUSE-SU-2021:2673-1

SUSE-SU-2021:2675-1

SUSE-SU-2021:3907-1

SUSE-SU-2021:3908-1

Affected Products

Alt Linux

Grafana

Grafana Enterprise

Suse

CVE-2021-28147

Related Identifiers

Affected Products

References · 70