Vulnerability Details : CVE-2021-28148

One of the usage insights HTTP API endpoints in Grafana Enterprise 6.x before 6.7.6, 7.x before 7.3.10, and 7.4.x before 7.4.5 is accessible without any authentication. This allows any unauthenticated user to send an unlimited number of requests to the endpoint, leading to a denial of service (DoS) attack against a Grafana Enterprise instance.

Vulnerability category: Denial of service

Published 2021-03-22 15:15:15

Updated 2022-07-12 17:42:04

Source MITRE

View at NVD, CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2021-28148

Probability of exploitation activity in the next 30 days: 0.53%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 74 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2021-28148

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Source
5.0	MEDIUM	AV:N/AC:L/Au:N/C:N/I:N/A:P	10.0	2.9	[email protected]
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Partial
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H	3.9	3.6	[email protected]
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High

CWE ids for CVE-2021-28148

CWE-306 Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Assigned by: [email protected] (Primary)

References for CVE-2021-28148

https://community.grafana.com/t/release-notes-v6-7-x/27119

Release Notes;Vendor Advisory

CVEs referencing this url
https://security.netapp.com/advisory/ntap-20210430-0005/

Third Party Advisory

CVEs referencing this url
https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-3-10/

Release Notes;Vendor Advisory

CVEs referencing this url
https://www.openwall.com/lists/oss-security/2021/03/19/5

Mailing List;Third Party Advisory

CVEs referencing this url
https://grafana.com/products/enterprise/

Product;Vendor Advisory

CVEs referencing this url
https://community.grafana.com/t/grafana-enterprise-6-7-6-7-3-10-and-7-4-5-security-update/44724

Vendor Advisory

CVEs referencing this url
https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-4-5/

Release Notes;Vendor Advisory

CVEs referencing this url
https://grafana.com/blog/2021/03/18/grafana-6.7.6-7.3.10-and-7.4.5-released-with-important-security-fixes-for-grafana-enterprise/

Release Notes;Vendor Advisory

CVEs referencing this url

Products affected by CVE-2021-28148

Grafana » Grafana » Enterprise Edition
Versions from including (>=) 6.0.0 and before (<) 6.7.6
cpe:2.3:a:grafana:grafana:*:*:*:*:enterprise:*:*:*
Matching versions
Grafana » Grafana » Enterprise Edition
Versions from including (>=) 7.4.0 and before (<) 7.4.5
cpe:2.3:a:grafana:grafana:*:*:*:*:enterprise:*:*:*
Matching versions
Grafana » Grafana » Enterprise Edition
Versions from including (>=) 7.0.0 and before (<) 7.3.10
cpe:2.3:a:grafana:grafana:*:*:*:*:enterprise:*:*:*
Matching versions