Vulnerability Details : CVE-2021-28148
One of the usage insights HTTP API endpoints in Grafana Enterprise 6.x before 6.7.6, 7.x before 7.3.10, and 7.4.x before 7.4.5 is accessible without any authentication. This allows any unauthenticated user to send an unlimited number of requests to the endpoint, leading to a denial of service (DoS) attack against a Grafana Enterprise instance.
Vulnerability category: Denial of service
Products affected by CVE-2021-28148
- cpe:2.3:a:grafana:grafana:*:*:*:*:enterprise:*:*:*
- cpe:2.3:a:grafana:grafana:*:*:*:*:enterprise:*:*:*
- cpe:2.3:a:grafana:grafana:*:*:*:*:enterprise:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-28148
1.74%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 88 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-28148
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:N/A:P |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2021-28148
-
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.Assigned by: nvd@nist.gov (Primary)
References for CVE-2021-28148
-
https://community.grafana.com/t/release-notes-v6-7-x/27119
Release Notes v6.7.x - Releases - Grafana CommunityRelease Notes;Vendor Advisory
-
https://security.netapp.com/advisory/ntap-20210430-0005/
March 2021 Grafana Vulnerabilities in NetApp Products | NetApp Product SecurityThird Party Advisory
-
https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-3-10/
Release notes for Grafana 7.3.10 | Grafana LabsRelease Notes;Vendor Advisory
-
https://www.openwall.com/lists/oss-security/2021/03/19/5
oss-security - Grafana 7.4.5, 7.3.10 and 6.7.6 released with security fixes for Grafana EnterproseMailing List;Third Party Advisory
-
https://grafana.com/products/enterprise/
Grafana Enterprise Stack | Grafana LabsProduct;Vendor Advisory
-
https://community.grafana.com/t/grafana-enterprise-6-7-6-7-3-10-and-7-4-5-security-update/44724
Grafana Enterprise 6.7.6, 7.3.10 and 7.4.5 Security Update - Security Announcements - Grafana Labs Community ForumsVendor Advisory
-
https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-4-5/
Release notes for Grafana 7.4.5 | Grafana LabsRelease Notes;Vendor Advisory
-
https://grafana.com/blog/2021/03/18/grafana-6.7.6-7.3.10-and-7.4.5-released-with-important-security-fixes-for-grafana-enterprise/
Grafana 6.7.6, 7.3.10, and 7.4.5 released with important security fixes for Grafana Enterprise | Grafana LabsRelease Notes;Vendor Advisory
Jump to