Linux Distros Unpatched Vulnerability : CVE-2021-41244

🗓️ 04 Sep 2025 00:00:00Reported by TenableType

Grafana CVE-2021-41244 lets admins edit users in other orgs with fine-grained control enabled; upgrade to 8.2.3 or disable.

Reporter	Title	Published	Views	Family All 66
ALT Linux	Security fix for the ALT Linux 10 package grafana version 8.5.0-alt1	5 May 202200:00	–	altlinux
FreeBSD	Grafana -- Incorrect Access Control	2 Nov 202100:00	–	freebsd
AlpineLinux	CVE-2021-41244	15 Nov 202120:05	–	alpinelinux
ArchLinux	[ASA-202111-6] grafana: access restriction bypass	18 Nov 202100:00	–	archlinux
Circl	CVE-2021-41244	17 Nov 202116:14	–	circl
CNNVD	Grafana 安全漏洞	15 Nov 202100:00	–	cnnvd
CNVD	Grafana has an unspecified vulnerability	17 Nov 202100:00	–	cnvd
CVE	CVE-2021-41244	15 Nov 202120:05	–	cve
Cvelist	CVE-2021-41244 Cross organization admin control in Grafana	15 Nov 202120:05	–	cvelist
EUVD	EUVD-2024-1694	3 Oct 202520:07	–	euvd

Source	Link
ubuntu	www.ubuntu.com/security/CVE-2021-41244
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(261251);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/09/04");

  script_cve_id("CVE-2021-41244");

  script_name(english:"Linux Distros Unpatched Vulnerability : CVE-2021-41244");

  script_set_attribute(attribute:"synopsis", value:
"The Linux/Unix host has one or more packages installed with a vulnerability that the vendor indicates will not be
patched.");
  script_set_attribute(attribute:"description", value:
"The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied
patch available.

  - Grafana is an open-source platform for monitoring and observability. In affected versions when the fine-
    grained access control beta feature is enabled and there is more than one organization in the Grafana
    instance admins are able to access users from other organizations. Grafana 8.0 introduced a mechanism
    which allowed users with the Organization Admin role to list, add, remove, and update users' roles in
    other organizations in which they are not an admin. With fine-grained access control enabled, organization
    admins can list, add, remove and update users' roles in another organization, where they do not have
    organization admin role. All installations between v8.0 and v8.2.3 that have fine-grained access control
    beta enabled and more than one organization should be upgraded as soon as possible. If you cannot upgrade,
    you should turn off the fine-grained access control using a feature flag. (CVE-2021-41244)

Note that Nessus relies on the presence of the package as reported by the vendor.");
  script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/CVE-2021-41244");
  script_set_attribute(attribute:"solution", value:
"There is no known solution at this time.");
  script_set_attribute(attribute:"agent", value:"unix");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-41244");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_set_attribute(attribute:"vendor_unpatched", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2021/11/15");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/09/04");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:grafana");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl", "set_linux_os_id.nasl");
  script_require_keys("Host/cpu", "Host/local_checks_enabled", "global_settings/vendor_unpatched", "Host/OS/identifier");
  script_require_ports("Host/OS/Ubuntu Linux-16.04");

  exit(0);
}

if (!get_kb_item("global_settings/vendor_unpatched")) exit(0, "Unpatched Vulnerabilities Detection not active.");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (empty_or_null(get_one_kb_item("Host/Debian/dpkg-l"))) audit(AUDIT_PACKAGE_LIST_MISSING);

include('linux_unpatched.inc');

var distro_constraints_array = {
  "Ubuntu Linux-16.04": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "16.04",
        "pkgs": [
          {"reference": "grafana"}
        ]
      }
    ]
  }
};

var distro_constraints_values = linux_unpatched::get_distro_constraints(distro_constraints_arr:distro_constraints_array);
if (empty_or_null(distro_constraints_values)) audit(AUDIT_HOST_NOT, 'affected');
var report = linux_unpatched::check_unpatched_constraints(distro_constraints_values:distro_constraints_values);

if (!empty_or_null(report))
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : report
  );
  exit(0);
}
else
{
  audit(AUDIT_HOST_NOT, 'affected');
}

04 Sep 2025 00:00Current

7.7High risk

Vulners AI Score7.7

CVSS 26.5

CVSS 3.17.2 - 9.1

EPSS0.00486