PT-2021-23209 · Grafana+2 · Grafana+2

Richih

Published

2021-11-15

Updated

2024-06-15

CVE-2021-41244

CVSS v3.1

9.1

Critical

Vector

AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Grafana versions 8.0 through 8.2.3

Description Grafana is an open-source platform for monitoring and observability. In affected versions, when the fine-grained access control beta feature is enabled and there is more than one organization in the Grafana instance, admins are able to access users from other organizations. Grafana 8.0 introduced a mechanism which allowed users with the Organization Admin role to list, add, remove, and update users’ roles in other organizations in which they are not an admin. With fine-grained access control enabled, organization admins can list, add, remove and update users' roles in another organization, where they do not have organization admin role.

Recommendations For versions 8.0 through 8.2.3, upgrade to version 8.2.4 as soon as possible. If you cannot upgrade, turn off the fine-grained access control using a feature flag.

Exploit

Fix

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-863CWE-610

Related Identifiers

ALT-PU-2022-1806

ALT-PU-2022-1820

ALT-PU-2023-4567

BIT-GRAFANA-2021-41244

CVE-2021-41244

GHSA-MPWP-42X6-4WMX

OPENSUSE-SU-2022_1396-1

OPENSUSE-SU-2022_4428-1

OPENSUSE-SU-2022_4437-1

OPENSUSE-SU-2024:11816-1

SUSE-FU-2022:1419-1

SUSE-SU-2022:0751-1

SUSE-SU-2022:1396-1

SUSE-SU-2022:2134-1

SUSE-SU-2022:3676-1

SUSE-SU-2022:4428-1

SUSE-SU-2022:4437-1

SUSE-SU-2022:4439-1

SUSE-SU-2024:0191-1

SUSE-SU-2024:0196-1

Affected Products

Alt Linux

Grafana

Suse

PT-2021-23209 · Grafana+2 · Grafana+2

CVE-2021-41244

Weakness Enumeration

Related Identifiers

Affected Products

References · 207