CVE-2021-28146 — MEDIUM (6.5)

Q: How severe is CVE-2021-28146?

CVE-2021-28146 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2021-28146?

Check the references section above for vendor advisories and patch information. Affected products include: Grafana Grafana.

Vulnerability Description

The team sync HTTP API in Grafana Enterprise 7.4.x before 7.4.5 has an Incorrect Access Control issue. On Grafana instances using an external authentication service, this vulnerability allows any authenticated user to add external groups to existing teams. This can be used to grant a user team permissions that the user isn't supposed to have.

CVSS Score

6.5

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Grafana	Grafana	>= 7.4.0, < 7.4.5

Related Weaknesses (CWE)

CWE-863

References

https://community.grafana.com/t/grafana-enterprise-6-7-6-7-3-10-and-7-4-5-securiVendor Advisory
https://community.grafana.com/t/release-notes-v6-7-x/27119Release NotesVendor Advisory
https://grafana.com/blog/2021/03/18/grafana-6.7.6-7.3.10-and-7.4.5-released-withRelease NotesVendor Advisory
https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-3-10/Release NotesVendor Advisory
https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-4-5/Release NotesVendor Advisory
https://grafana.com/products/enterprise/ProductVendor Advisory
https://www.openwall.com/lists/oss-security/2021/03/19/5Mailing ListThird Party Advisory
https://community.grafana.com/t/grafana-enterprise-6-7-6-7-3-10-and-7-4-5-securiVendor Advisory
https://community.grafana.com/t/release-notes-v6-7-x/27119Release NotesVendor Advisory
https://grafana.com/blog/2021/03/18/grafana-6.7.6-7.3.10-and-7.4.5-released-withRelease NotesVendor Advisory
https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-3-10/Release NotesVendor Advisory
https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-4-5/Release NotesVendor Advisory
https://grafana.com/products/enterprise/ProductVendor Advisory
https://www.openwall.com/lists/oss-security/2021/03/19/5Mailing ListThird Party Advisory

FAQ

What is CVE-2021-28146?

CVE-2021-28146 is a vulnerability with a CVSS score of 6.5 (MEDIUM). The team sync HTTP API in Grafana Enterprise 7.4.x before 7.4.5 has an Incorrect Access Control issue. On Grafana instances using an external authentication service, this vulnerability allows any auth...

How severe is CVE-2021-28146?

CVE-2021-28146 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-28146?

Check the references section above for vendor advisories and patch information. Affected products include: Grafana Grafana.