Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2021-28147

Date: March 22, 2021

The team sync HTTP API in Grafana Enterprise 6.x before 6.7.6, 7.x before 7.3.10, and 7.4.x before 7.4.5 has an Incorrect Access Control issue. On Grafana instances using an external authentication service and having the EditorsCanAdmin feature enabled, this vulnerability allows any authenticated user to add external groups to any existing team. This can be used to grant a user team permissions that the user isn't supposed to have.

Severity Score

Related Resources (11)

https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-3-10/
https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-4-5/
https://security.alpinelinux.org/vuln/CVE-2021-28147
https://nvd.nist.gov/vuln/detail/CVE-2021-28147
https://community.grafana.com/t/grafana-enterprise-6-7-6-7-3-10-and-7-4-5-security-update/44724
https://community.grafana.com/t/release-notes-v6-7-x/27119
https://grafana.com/products/enterprise/
https://www.openwall.com/lists/oss-security/2021/03/19/5
https://grafana.com/blog/2021/03/18/grafana-6.7.6-7.3.10-and-7.4.5-released-with-important-security-fixes-for-grafana-enterprise/
https://security.netapp.com/advisory/ntap-20210430-0005/
https://www.mend.io/vulnerability-database/CVE-2021-28147

Severity Score

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): LOW
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): NONE
Integrity (I): HIGH
Availability (A): NONE

CVSS v2

Base Score:
Access Vector (AV): NETWORK
Access Complexity (AC): MEDIUM
Authentication (AU): SINGLE
Confidentiality (C): NONE
Integrity (I): PARTIAL
Availability (A): NONE
Additional information:

Do you need more information?

Contact Us