PT-2021-17774 · Grafana+2 · Grafana Enterprise+3

Published

2021-03-22

Updated

2024-06-15

CVE-2021-28148

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions: Grafana Enterprise versions 6.x through 6.7.5 Grafana Enterprise versions 7.x through 7.3.9 Grafana Enterprise versions 7.4.x through 7.4.4

Description: One of the usage insights HTTP API endpoints in Grafana Enterprise is accessible without any authentication. This allows any unauthenticated user to send an unlimited number of requests to the endpoint, leading to a denial of service (DoS) attack against a Grafana Enterprise instance.

Recommendations: For versions 6.x through 6.7.5, update to version 6.7.6 or later. For versions 7.x through 7.3.9, update to version 7.3.10 or later. For versions 7.4.x through 7.4.4, update to version 7.4.5 or later.

Exploit

Fix

DoS

Missing Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-306

Related Identifiers

ALT-PU-2021-1708

ALT-PU-2022-1177

ALT-PU-2022-1249

BIT-GRAFANA-2021-28148

CVE-2021-28148

OESA-2021-1445

OPENSUSE-SU-2021:1148-1

OPENSUSE-SU-2021:1162-1

OPENSUSE-SU-2021:2662-1

OPENSUSE-SU-2021:2675-1

OPENSUSE-SU-2021_1148-1

OPENSUSE-SU-2021_1162-1

OPENSUSE-SU-2021_2662-1

OPENSUSE-SU-2021_2675-1

OPENSUSE-SU-2024:10818-1

SUSE-SU-2021:2660-1

SUSE-SU-2021:2673-1

SUSE-SU-2021:2675-1

SUSE-SU-2021:3907-1

SUSE-SU-2021:3908-1

Affected Products

Alt Linux

Grafana

Grafana Enterprise

Suse

PT-2021-17774 · Grafana+2 · Grafana Enterprise+3

CVE-2021-28148

Weakness Enumeration

Related Identifiers

Affected Products

References · 75