Vulnerability Details : CVE-2021-28146
The team sync HTTP API in Grafana Enterprise 7.4.x before 7.4.5 has an Incorrect Access Control issue. On Grafana instances using an external authentication service, this vulnerability allows any authenticated user to add external groups to existing teams. This can be used to grant a user team permissions that the user isn't supposed to have.
Exploit prediction scoring system (EPSS) score for CVE-2021-28146
Probability of exploitation activity in the next 30 days: 0.09%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 35 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2021-28146
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
4.0
|
MEDIUM | AV:N/AC:L/Au:S/C:N/I:P/A:N |
8.0
|
2.9
|
NIST |
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N |
2.8
|
3.6
|
NIST |
CWE ids for CVE-2021-28146
-
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.Assigned by: nvd@nist.gov (Primary)
References for CVE-2021-28146
-
https://community.grafana.com/t/release-notes-v6-7-x/27119
Release Notes v6.7.x - Releases - Grafana CommunityRelease Notes;Vendor Advisory
-
https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-3-10/
Release notes for Grafana 7.3.10 | Grafana LabsRelease Notes;Vendor Advisory
-
https://www.openwall.com/lists/oss-security/2021/03/19/5
oss-security - Grafana 7.4.5, 7.3.10 and 6.7.6 released with security fixes for Grafana EnterproseMailing List;Third Party Advisory
-
https://grafana.com/products/enterprise/
Grafana Enterprise Stack | Grafana LabsProduct;Vendor Advisory
-
https://community.grafana.com/t/grafana-enterprise-6-7-6-7-3-10-and-7-4-5-security-update/44724
Grafana Enterprise 6.7.6, 7.3.10 and 7.4.5 Security Update - Security Announcements - Grafana Labs Community ForumsVendor Advisory
-
https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-4-5/
Release notes for Grafana 7.4.5 | Grafana LabsRelease Notes;Vendor Advisory
-
https://grafana.com/blog/2021/03/18/grafana-6.7.6-7.3.10-and-7.4.5-released-with-important-security-fixes-for-grafana-enterprise/
Grafana 6.7.6, 7.3.10, and 7.4.5 released with important security fixes for Grafana Enterprise | Grafana LabsRelease Notes;Vendor Advisory
Products affected by CVE-2021-28146
- cpe:2.3:a:grafana:grafana:*:*:*:*:enterprise:*:*:*