Описание
Grafana Enterprise 7.2.x and 7.3.x before 7.3.10 and 7.4.x before 7.4.5 allows a dashboard editor to bypass a permission check concerning a data source they should not be able to access.
A flaw was found in Grafana Enterprise. Users with the Editor role are allowed to bypass data source permissions for the organization's default data source. The highest threat from this vulnerability is to data confidentiality.
Отчет
Red Hat products do not ship Grafana Enterprise version, therefore are not affected by this vulnerability.
Меры по смягчению последствий
If you are using the Enterprise version of Grafana, you can mitigate this vulnerability by making sure that the default data source for every Grafana organization points to a data source without permissions set up.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| OpenShift Service Mesh 1 | servicemesh-grafana | Not affected | ||
| OpenShift Service Mesh 2.0 | servicemesh-grafana | Not affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | grafana | Not affected | ||
| Red Hat Ceph Storage 2 | grafana | Out of support scope | ||
| Red Hat Ceph Storage 3 | grafana | Not affected | ||
| Red Hat Ceph Storage 3 | grafana-container | Not affected | ||
| Red Hat Ceph Storage 4 | rhceph/rhceph-4-dashboard-rhel8 | Not affected | ||
| Red Hat Enterprise Linux 8 | grafana | Not affected | ||
| Red Hat Enterprise Linux 9 | grafana | Not affected | ||
| Red Hat OpenShift Container Platform 3.11 | openshift3/grafana | Not affected |
Показывать по
Дополнительная информация
Статус:
6.8 Medium
CVSS3
Связанные уязвимости
Grafana Enterprise 7.2.x and 7.3.x before 7.3.10 and 7.4.x before 7.4.5 allows a dashboard editor to bypass a permission check concerning a data source they should not be able to access.
Grafana Enterprise 7.2.x and 7.3.x before 7.3.10 and 7.4.x before 7.4.5 allows a dashboard editor to bypass a permission check concerning a data source they should not be able to access.
Grafana Enterprise 7.2.x and 7.3.x before 7.3.10 and 7.4.x before 7.4. ...
Grafana Enterprise 7.2.x and 7.3.x before 7.3.10 and 7.4.x before 7.4.5 allows a dashboard editor to bypass a permission check concerning a data source they should not be able to access.
6.8 Medium
CVSS3