6.5

CVE-2021-28147

The team sync HTTP API in Grafana Enterprise 6.x before 6.7.6, 7.x before 7.3.10, and 7.4.x before 7.4.5 has an Incorrect Access Control issue. On Grafana instances using an external authentication service and having the EditorsCanAdmin feature enabled, this vulnerability allows any authenticated user to add external groups to any existing team. This can be used to grant a user team permissions that the user isn't supposed to have.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
GrafanaGrafana SwEditionenterprise Version >= 6.0.0 < 6.7.6
GrafanaGrafana SwEditionenterprise Version >= 7.0.0 < 7.3.10
GrafanaGrafana SwEditionenterprise Version >= 7.4.0 < 7.4.5
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.61% 0.728
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 6.5 2.8 3.6
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
nvd@nist.gov 3.5 6.8 2.9
AV:N/AC:M/Au:S/C:N/I:P/A:N
Es wurden noch keine Informationen zu CWE veröffentlicht.
https://community.grafana.com/t/release-notes-v6-7-x/27119
Vendor Advisory
Release Notes
https://community.grafana.com/t/grafana-enterprise-6-7-6-7-3-10-and-7-4-5-security-update/44724
Vendor Advisory
https://grafana.com/blog/2021/03/18/grafana-6.7.6-7.3.10-and-7.4.5-released-with-important-security-fixes-for-grafana-enterprise/
Vendor Advisory
Release Notes
https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-4-5/
Vendor Advisory
Release Notes
https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-3-10/
Vendor Advisory
Release Notes
https://grafana.com/products/enterprise/
Vendor Advisory
Product
https://www.openwall.com/lists/oss-security/2021/03/19/5
Third Party Advisory
Mailing List
https://security.netapp.com/advisory/ntap-20210430-0005/
Third Party Advisory