Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2021-28147

Опубликовано: 22 мар. 2021
Источник: nvd
CVSS3: 6.5
CVSS2: 3.5
EPSS Низкий

Описание

The team sync HTTP API in Grafana Enterprise 6.x before 6.7.6, 7.x before 7.3.10, and 7.4.x before 7.4.5 has an Incorrect Access Control issue. On Grafana instances using an external authentication service and having the EditorsCanAdmin feature enabled, this vulnerability allows any authenticated user to add external groups to any existing team. This can be used to grant a user team permissions that the user isn't supposed to have.

Ссылки

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:grafana:grafana:*:*:*:*:enterprise:*:*:*
Версия от 6.0.0 (включая) до 6.7.6 (исключая)
cpe:2.3:a:grafana:grafana:*:*:*:*:enterprise:*:*:*
Версия от 7.0.0 (включая) до 7.3.10 (исключая)
cpe:2.3:a:grafana:grafana:*:*:*:*:enterprise:*:*:*
Версия от 7.4.0 (включая) до 7.4.5 (исключая)

EPSS

Процентиль: 65%
0.00509
Низкий

6.5 Medium

CVSS3

3.5 Low

CVSS2

Дефекты

NVD-CWE-Other

Связанные уязвимости

ubuntu логотип

CVE-2021-28147

CVSS3: 6.5
ubuntu
около 4 лет назад

The team sync HTTP API in Grafana Enterprise 6.x before 6.7.6, 7.x before 7.3.10, and 7.4.x before 7.4.5 has an Incorrect Access Control issue. On Grafana instances using an external authentication service and having the EditorsCanAdmin feature enabled, this vulnerability allows any authenticated user to add external groups to any existing team. This can be used to grant a user team permissions that the user isn't supposed to have.

redhat логотип

CVE-2021-28147

CVSS3: 6.8
redhat
больше 4 лет назад

The team sync HTTP API in Grafana Enterprise 6.x before 6.7.6, 7.x before 7.3.10, and 7.4.x before 7.4.5 has an Incorrect Access Control issue. On Grafana instances using an external authentication service and having the EditorsCanAdmin feature enabled, this vulnerability allows any authenticated user to add external groups to any existing team. This can be used to grant a user team permissions that the user isn't supposed to have.

debian логотип

CVE-2021-28147

CVSS3: 6.5
debian
около 4 лет назад

The team sync HTTP API in Grafana Enterprise 6.x before 6.7.6, 7.x bef ...

github логотип

GHSA-jfp3-g5xg-h74p

CVSS3: 6.5
github
около 3 лет назад

The team sync HTTP API in Grafana Enterprise 6.x before 6.7.6, 7.x before 7.3.10, and 7.4.x before 7.4.5 has an Incorrect Access Control issue. On Grafana instances using an external authentication service and having the EditorsCanAdmin feature enabled, this vulnerability allows any authenticated user to add external groups to any existing team. This can be used to grant a user team permissions that the user isn't supposed to have.

suse-cvrf логотип

openSUSE-SU-2021:2675-1

suse-cvrf
почти 4 года назад

Security update for SUSE Manager Client Tools

EPSS

Процентиль: 65%
0.00509
Низкий

6.5 Medium

CVSS3

3.5 Low

CVSS2

Дефекты

NVD-CWE-Other