github - ghsa-jfp3-g5xg-h74p

ghsa-jfp3-g5xg-h74p

Vulnerability from github

Published

2022-05-24 17:45

Modified

2022-05-24 17:45

Severity

6.5 (Medium) - CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Details

The team sync HTTP API in Grafana Enterprise 6.x before 6.7.6, 7.x before 7.3.10, and 7.4.x before 7.4.5 has an Incorrect Access Control issue. On Grafana instances using an external authentication service and having the EditorsCanAdmin feature enabled, this vulnerability allows any authenticated user to add external groups to any existing team. This can be used to grant a user team permissions that the user isn't supposed to have.

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2021-28147"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-03-22T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "The team sync HTTP API in Grafana Enterprise 6.x before 6.7.6, 7.x before 7.3.10, and 7.4.x before 7.4.5 has an Incorrect Access Control issue. On Grafana instances using an external authentication service and having the EditorsCanAdmin feature enabled, this vulnerability allows any authenticated user to add external groups to any existing team. This can be used to grant a user team permissions that the user isn\u0027t supposed to have.",
  "id": "GHSA-jfp3-g5xg-h74p",
  "modified": "2022-05-24T17:45:02Z",
  "published": "2022-05-24T17:45:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28147"
    },
    {
      "type": "WEB",
      "url": "https://community.grafana.com/t/grafana-enterprise-6-7-6-7-3-10-and-7-4-5-security-update/44724"
    },
    {
      "type": "WEB",
      "url": "https://community.grafana.com/t/release-notes-v6-7-x/27119"
    },
    {
      "type": "WEB",
      "url": "https://grafana.com/blog/2021/03/18/grafana-6.7.6-7.3.10-and-7.4.5-released-with-important-security-fixes-for-grafana-enterprise"
    },
    {
      "type": "WEB",
      "url": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-3-10"
    },
    {
      "type": "WEB",
      "url": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-4-5"
    },
    {
      "type": "WEB",
      "url": "https://grafana.com/products/enterprise"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20210430-0005"
    },
    {
      "type": "WEB",
      "url": "https://www.openwall.com/lists/oss-security/2021/03/19/5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

cve-2021-28147

Vulnerability from cvelistv5

Published

2021-03-22 14:03

Modified

2024-08-03 21:40

Severity

Summary

References

URL	Tags
https://community.grafana.com/t/release-notes-v6-7-x/27119	x_refsource_MISC
https://grafana.com/products/enterprise/	x_refsource_MISC
https://www.openwall.com/lists/oss-security/2021/03/19/5	x_refsource_MISC
https://grafana.com/blog/2021/03/18/grafana-6.7.6-7.3.10-and-7.4.5-released-with-important-security-fixes-for-grafana-enterprise/	x_refsource_CONFIRM
https://community.grafana.com/t/grafana-enterprise-6-7-6-7-3-10-and-7-4-5-security-update/44724	x_refsource_MISC
https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-3-10/	x_refsource_MISC
https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-4-5/	x_refsource_MISC
https://security.netapp.com/advisory/ntap-20210430-0005/	x_refsource_CONFIRM

Impacted products

Vendor	Product
n/a	n/a

Show details on NVD website