Lucene search

K

MitreCVELIST:CVE-2021-28146

HistoryMar 22, 2021 - 2:00 p.m.

CVE-2021-28146

2021-03-2214:00:36

mitre

www.cve.org

7

grafana

access control

vulnerability

authentication

teams

AI Score

7

Confidence

High

EPSS

0.001

Percentile

36.7%

The team sync HTTP API in Grafana Enterprise 7.4.x before 7.4.5 has an Incorrect Access Control issue. On Grafana instances using an external authentication service, this vulnerability allows any authenticated user to add external groups to existing teams. This can be used to grant a user team permissions that the user isn’t supposed to have.

References

community.grafana.com/t/grafana-enterprise-6-7-6-7-3-10-and-7-4-5-security-update/44724

community.grafana.com/t/release-notes-v6-7-x/27119

grafana.com/blog/2021/03/18/grafana-6.7.6-7.3.10-and-7.4.5-released-with-important-security-fixes-for-grafana-enterprise/

grafana.com/docs/grafana/latest/release-notes/release-notes-7-3-10/

grafana.com/docs/grafana/latest/release-notes/release-notes-7-4-5/

grafana.com/products/enterprise/

www.openwall.com/lists/oss-security/2021/03/19/5

AI Score

7

Confidence

High

EPSS

0.001

Percentile

36.7%

Related for CVELIST:CVE-2021-28146

openvas5 osv3 alpinelinux1 cve1 ubuntucve1 veracode1 prion1 redhatcve1 nvd1 suse4 nessus4