CVE-2021-28148 — HIGH (7.5)

Q: How severe is CVE-2021-28148?

CVE-2021-28148 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2021-28148?

Check the references section above for vendor advisories and patch information. Affected products include: Grafana Grafana.

Vulnerability Description

One of the usage insights HTTP API endpoints in Grafana Enterprise 6.x before 6.7.6, 7.x before 7.3.10, and 7.4.x before 7.4.5 is accessible without any authentication. This allows any unauthenticated user to send an unlimited number of requests to the endpoint, leading to a denial of service (DoS) attack against a Grafana Enterprise instance.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Grafana	Grafana	>= 6.0.0, < 6.7.6

Related Weaknesses (CWE)

CWE-306

References

https://community.grafana.com/t/grafana-enterprise-6-7-6-7-3-10-and-7-4-5-securiVendor Advisory
https://community.grafana.com/t/release-notes-v6-7-x/27119Release NotesVendor Advisory
https://grafana.com/blog/2021/03/18/grafana-6.7.6-7.3.10-and-7.4.5-released-withRelease NotesVendor Advisory
https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-3-10/Release NotesVendor Advisory
https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-4-5/Release NotesVendor Advisory
https://grafana.com/products/enterprise/ProductVendor Advisory
https://security.netapp.com/advisory/ntap-20210430-0005/Third Party Advisory
https://www.openwall.com/lists/oss-security/2021/03/19/5Mailing ListThird Party Advisory
https://community.grafana.com/t/grafana-enterprise-6-7-6-7-3-10-and-7-4-5-securiVendor Advisory
https://community.grafana.com/t/release-notes-v6-7-x/27119Release NotesVendor Advisory
https://grafana.com/blog/2021/03/18/grafana-6.7.6-7.3.10-and-7.4.5-released-withRelease NotesVendor Advisory
https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-3-10/Release NotesVendor Advisory
https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-4-5/Release NotesVendor Advisory
https://grafana.com/products/enterprise/ProductVendor Advisory
https://security.netapp.com/advisory/ntap-20210430-0005/Third Party Advisory

FAQ

What is CVE-2021-28148?

CVE-2021-28148 is a vulnerability with a CVSS score of 7.5 (HIGH). One of the usage insights HTTP API endpoints in Grafana Enterprise 6.x before 6.7.6, 7.x before 7.3.10, and 7.4.x before 7.4.5 is accessible without any authentication. This allows any unauthenticated...

How severe is CVE-2021-28148?

CVE-2021-28148 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-28148?

Check the references section above for vendor advisories and patch information. Affected products include: Grafana Grafana.