7.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
6.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
0.003 Low
EPSS
Percentile
69.6%
Grafana is an open-source platform for monitoring and observability. In
affected versions when the fine-grained access control beta feature is
enabled and there is more than one organization in the Grafana instance
admins are able to access users from other organizations. Grafana 8.0
introduced a mechanism which allowed users with the Organization Admin role
to list, add, remove, and update usersβ roles in other organizations in
which they are not an admin. With fine-grained access control enabled,
organization admins can list, add, remove and update usersβ roles in
another organization, where they do not have organization admin role. All
installations between v8.0 and v8.2.3 that have fine-grained access control
beta enabled and more than one organization should be upgraded as soon as
possible. If you cannot upgrade, you should turn off the fine-grained
access control using a feature flag.
Author | Note |
---|---|
seth-arnold | Xenialβs grafana pacakge doesnβt appear to have fine grained acls |
www.openwall.com/lists/oss-security/2021/11/15/1
github.com/grafana/grafana/security/advisories/GHSA-mpwp-42x6-4wmx
grafana.com/blog/2021/11/15/grafana-8.2.4-released-with-security-fixes/
launchpad.net/bugs/cve/CVE-2021-41244
nvd.nist.gov/vuln/detail/CVE-2021-41244
security-tracker.debian.org/tracker/CVE-2021-41244
www.cve.org/CVERecord?id=CVE-2021-41244
7.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
6.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
0.003 Low
EPSS
Percentile
69.6%