Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2021-28147

Опубликовано: 18 мар. 2021
Источник: redhat
CVSS3: 6.8
EPSS Низкий

Описание

The team sync HTTP API in Grafana Enterprise 6.x before 6.7.6, 7.x before 7.3.10, and 7.4.x before 7.4.5 has an Incorrect Access Control issue. On Grafana instances using an external authentication service and having the EditorsCanAdmin feature enabled, this vulnerability allows any authenticated user to add external groups to any existing team. This can be used to grant a user team permissions that the user isn't supposed to have.

A flaw was found in Grafana Enterprise. An authenticated user can add an external group to an existing team when the editorsCanAdmin feature is enabled. The highest threat from this vulnerability is to data confidentiality.

Отчет

Red Hat products do not ship Grafana Enterprise version, therefore they are not affected by this vulnerability.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
OpenShift Service Mesh 1servicemesh-grafanaNot affected
OpenShift Service Mesh 2.0servicemesh-grafanaNot affected
Red Hat Advanced Cluster Management for Kubernetes 2grafanaNot affected
Red Hat Ceph Storage 2grafanaNot affected
Red Hat Ceph Storage 3grafanaNot affected
Red Hat Ceph Storage 3grafana-containerNot affected
Red Hat Ceph Storage 4rhceph/rhceph-4-dashboard-rhel8Not affected
Red Hat Enterprise Linux 8grafanaNot affected
Red Hat Enterprise Linux 9grafanaNot affected
Red Hat OpenShift Container Platform 3.11openshift3/grafanaNot affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important
Дефект:
CWE-287
Дефект:
CWE-863
https://bugzilla.redhat.com/show_bug.cgi?id=1938978grafana: Allows to bypass access control restrictions via external groups

EPSS

Процентиль: 65%
0.00509
Низкий

6.8 Medium

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2021-28147

CVSS3: 6.5
ubuntu
около 4 лет назад

The team sync HTTP API in Grafana Enterprise 6.x before 6.7.6, 7.x before 7.3.10, and 7.4.x before 7.4.5 has an Incorrect Access Control issue. On Grafana instances using an external authentication service and having the EditorsCanAdmin feature enabled, this vulnerability allows any authenticated user to add external groups to any existing team. This can be used to grant a user team permissions that the user isn't supposed to have.

nvd логотип

CVE-2021-28147

CVSS3: 6.5
nvd
около 4 лет назад

The team sync HTTP API in Grafana Enterprise 6.x before 6.7.6, 7.x before 7.3.10, and 7.4.x before 7.4.5 has an Incorrect Access Control issue. On Grafana instances using an external authentication service and having the EditorsCanAdmin feature enabled, this vulnerability allows any authenticated user to add external groups to any existing team. This can be used to grant a user team permissions that the user isn't supposed to have.

debian логотип

CVE-2021-28147

CVSS3: 6.5
debian
около 4 лет назад

The team sync HTTP API in Grafana Enterprise 6.x before 6.7.6, 7.x bef ...

github логотип

GHSA-jfp3-g5xg-h74p

CVSS3: 6.5
github
около 3 лет назад

The team sync HTTP API in Grafana Enterprise 6.x before 6.7.6, 7.x before 7.3.10, and 7.4.x before 7.4.5 has an Incorrect Access Control issue. On Grafana instances using an external authentication service and having the EditorsCanAdmin feature enabled, this vulnerability allows any authenticated user to add external groups to any existing team. This can be used to grant a user team permissions that the user isn't supposed to have.

suse-cvrf логотип

openSUSE-SU-2021:2675-1

suse-cvrf
почти 4 года назад

Security update for SUSE Manager Client Tools

EPSS

Процентиль: 65%
0.00509
Низкий

6.8 Medium

CVSS3