CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2021-41244 – Cross organization admin control in Grafana
https://notcve.org/view.php?id=CVE-2021-41244
Grafana is an open-source platform for monitoring and observability. In affected versions when the fine-grained access control beta feature is enabled and there is more than one organization in the Grafana instance admins are able to access users from other organizations. Grafana 8.0 introduced a mechanism which allowed users with the Organization Admin role to list, add, remove, and update users’ roles in other organizations in which they are not an admin. With fine-grained access control enabled, organization admins can list, add, remove and update users' roles in another organization, where they do not have organization admin role. All installations between v8.0 and v8.2.3 that have fine-grained access control beta enabled and more than one organization should be upgraded as soon as possible. • http://www.openwall.com/lists/oss-security/2021/11/15/1 https://github.com/grafana/grafana/security/advisories/GHSA-mpwp-42x6-4wmx https://grafana.com/blog/2021/11/15/grafana-8.2.4-released-with-security-fixes https://security.netapp.com/advisory/ntap-20211223-0001 • CWE-610: Externally Controlled Reference to a Resource in Another Sphere CWE-863: Incorrect Authorization •
CVSS: 6.9EPSS: 95%CPEs: 1EXPL: 0CVE-2021-41174 – XSS vulnerability allowing arbitrary JavaScript execution
https://notcve.org/view.php?id=CVE-2021-41174
Grafana is an open-source platform for monitoring and observability. In affected versions if an attacker is able to convince a victim to visit a URL referencing a vulnerable page, arbitrary JavaScript content may be executed within the context of the victim's browser. The user visiting the malicious link must be unauthenticated and the link must be for a page that contains the login button in the menu bar. The url has to be crafted to exploit AngularJS rendering and contain the interpolation binding for AngularJS expressions. AngularJS uses double curly braces for interpolation binding: {{ }} ex: {{constructor.constructor(‘alert(1)’)()}}. • https://github.com/grafana/grafana/commit/31b78d51c693d828720a5b285107a50e6024c912 https://github.com/grafana/grafana/commit/3cb5214fa45eb5a571fd70d6c6edf0d729983f82 https://github.com/grafana/grafana/commit/fb85ed691290d211a5baa44d9a641ab137f0de88 https://github.com/grafana/grafana/security/advisories/GHSA-3j9m-hcv9-rpj8 https://security.netapp.com/advisory/ntap-20211125-0003 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 91%CPEs: 4EXPL: 1CVE-2021-39226 – Grafana Authentication Bypass Vulnerability
https://notcve.org/view.php?id=CVE-2021-39226
Grafana is an open source data visualization platform. In affected versions unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths: /dashboard/snapshot/:key, or /api/snapshots/:key. If the snapshot "public_mode" configuration setting is set to true (vs default of false), unauthenticated users are able to delete the snapshot with the lowest database key by accessing the literal path: /api/snapshots-delete/:deleteKey. Regardless of the snapshot "public_mode" setting, authenticated users are able to delete the snapshot with the lowest database key by accessing the literal paths: /api/snapshots/:key, or /api/snapshots-delete/:deleteKey. The combination of deletion and viewing enables a complete walk through all snapshot data while resulting in complete snapshot data loss. • http://www.openwall.com/lists/oss-security/2021/10/05/4 https://github.com/grafana/grafana/commit/2d456a6375855364d098ede379438bf7f0667269 https://github.com/grafana/grafana/security/advisories/GHSA-69j6-29vr-p3j9 https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-5-11 https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-1-6 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DCKBFUSY6V4VU5AQUYWKISREZX5NLQJT https://lists.fedoraproject • CWE-287: Improper Authentication CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2021-28148
https://notcve.org/view.php?id=CVE-2021-28148
One of the usage insights HTTP API endpoints in Grafana Enterprise 6.x before 6.7.6, 7.x before 7.3.10, and 7.4.x before 7.4.5 is accessible without any authentication. This allows any unauthenticated user to send an unlimited number of requests to the endpoint, leading to a denial of service (DoS) attack against a Grafana Enterprise instance. Uno de los endpoints de la API HTTP de información de uso en Grafana Enterprise versiones 6.x anteriores a 6.7.6, versiones 7.x anteriores a 7.3.10 y versiones 7.4.x anteriores a 7.4.5, es accesible sin ninguna autenticación. Esto permite a cualquier usuario no autenticado enviar un número ilimitado de peticiones al endpoint, conllevando a un ataque de denegación de servicio (DoS) contra una instancia de Grafana Enterprise • https://community.grafana.com/t/grafana-enterprise-6-7-6-7-3-10-and-7-4-5-security-update/44724 https://community.grafana.com/t/release-notes-v6-7-x/27119 https://grafana.com/blog/2021/03/18/grafana-6.7.6-7.3.10-and-7.4.5-released-with-important-security-fixes-for-grafana-enterprise https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-3-10 https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-4-5 https://grafana.com/products/enterpr • CWE-306: Missing Authentication for Critical Function •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2021-28147
https://notcve.org/view.php?id=CVE-2021-28147
The team sync HTTP API in Grafana Enterprise 6.x before 6.7.6, 7.x before 7.3.10, and 7.4.x before 7.4.5 has an Incorrect Access Control issue. On Grafana instances using an external authentication service and having the EditorsCanAdmin feature enabled, this vulnerability allows any authenticated user to add external groups to any existing team. This can be used to grant a user team permissions that the user isn't supposed to have. La API HTTP de sincronización de equipo en Grafana Enterprise versiones 6.x anteriores a 6.7.6, versiones 7.x anteriores a 7.3.10 y versiones 7.4.x anteriores a 7.4.5, presenta un problema de Control de Acceso Incorrecto. En las instancias de Grafana que usan un servicio de autenticación externo y presentan habilitada la funcionalidad EditorsCanAdmin, esta vulnerabilidad permite a cualquier usuario autenticado agregar grupos externos a cualquier equipo existente. • https://community.grafana.com/t/grafana-enterprise-6-7-6-7-3-10-and-7-4-5-security-update/44724 https://community.grafana.com/t/release-notes-v6-7-x/27119 https://grafana.com/blog/2021/03/18/grafana-6.7.6-7.3.10-and-7.4.5-released-with-important-security-fixes-for-grafana-enterprise https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-3-10 https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-4-5 https://grafana.com/products/enterpr •