Vulnerability Details : CVE-2021-28147
The team sync HTTP API in Grafana Enterprise 6.x before 6.7.6, 7.x before 7.3.10, and 7.4.x before 7.4.5 has an Incorrect Access Control issue. On Grafana instances using an external authentication service and having the EditorsCanAdmin feature enabled, this vulnerability allows any authenticated user to add external groups to any existing team. This can be used to grant a user team permissions that the user isn't supposed to have.
Products affected by CVE-2021-28147
- cpe:2.3:a:grafana:grafana:*:*:*:*:enterprise:*:*:*
- cpe:2.3:a:grafana:grafana:*:*:*:*:enterprise:*:*:*
- cpe:2.3:a:grafana:grafana:*:*:*:*:enterprise:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-28147
0.13%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 49 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-28147
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
3.5
|
LOW | AV:N/AC:M/Au:S/C:N/I:P/A:N |
6.8
|
2.9
|
NIST | |
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N |
2.8
|
3.6
|
NIST |
References for CVE-2021-28147
-
https://community.grafana.com/t/release-notes-v6-7-x/27119
Release Notes v6.7.x - Releases - Grafana CommunityRelease Notes;Vendor Advisory
-
https://security.netapp.com/advisory/ntap-20210430-0005/
March 2021 Grafana Vulnerabilities in NetApp Products | NetApp Product SecurityThird Party Advisory
-
https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-3-10/
Release notes for Grafana 7.3.10 | Grafana LabsRelease Notes;Vendor Advisory
-
https://www.openwall.com/lists/oss-security/2021/03/19/5
oss-security - Grafana 7.4.5, 7.3.10 and 6.7.6 released with security fixes for Grafana EnterproseMailing List;Third Party Advisory
-
https://grafana.com/products/enterprise/
Grafana Enterprise Stack | Grafana LabsProduct;Vendor Advisory
-
https://community.grafana.com/t/grafana-enterprise-6-7-6-7-3-10-and-7-4-5-security-update/44724
Grafana Enterprise 6.7.6, 7.3.10 and 7.4.5 Security Update - Security Announcements - Grafana Labs Community ForumsVendor Advisory
-
https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-4-5/
Release notes for Grafana 7.4.5 | Grafana LabsRelease Notes;Vendor Advisory
-
https://grafana.com/blog/2021/03/18/grafana-6.7.6-7.3.10-and-7.4.5-released-with-important-security-fixes-for-grafana-enterprise/
Grafana 6.7.6, 7.3.10, and 7.4.5 released with important security fixes for Grafana Enterprise | Grafana LabsRelease Notes;Vendor Advisory
Jump to