CVE-2021-28147
 
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
The team sync HTTP API in Grafana Enterprise 6.x before 6.7.6, 7.x before 7.3.10, and 7.4.x before 7.4.5 has an Incorrect Access Control issue. On Grafana instances using an external authentication service and having the EditorsCanAdmin feature enabled, this vulnerability allows any authenticated user to add external groups to any existing team. This can be used to grant a user team permissions that the user isn't supposed to have.
La API HTTP de sincronización de equipo en Grafana Enterprise versiones 6.x anteriores a 6.7.6, versiones 7.x anteriores a 7.3.10 y versiones 7.4.x anteriores a 7.4.5, presenta un problema de Control de Acceso Incorrecto. En las instancias de Grafana que usan un servicio de autenticación externo y presentan habilitada la funcionalidad EditorsCanAdmin, esta vulnerabilidad permite a cualquier usuario autenticado agregar grupos externos a cualquier equipo existente. Esto puede ser usado para otorgar a un equipo de usuarios permisos que se supone que el usuario no debe tener
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-03-11 CVE Reserved
- 2021-03-22 CVE Published
- 2023-03-08 EPSS Updated
- 2024-08-03 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
CAPEC
References (8)
URL | Tag | Source |
---|---|---|
https://security.netapp.com/advisory/ntap-20210430-0005 | Third Party Advisory | |
https://www.openwall.com/lists/oss-security/2021/03/19/5 | Mailing List |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Grafana Search vendor "Grafana" | Grafana Search vendor "Grafana" for product "Grafana" | >= 6.0.0 < 6.7.6 Search vendor "Grafana" for product "Grafana" and version " >= 6.0.0 < 6.7.6" | enterprise |
Affected
| ||||||
Grafana Search vendor "Grafana" | Grafana Search vendor "Grafana" for product "Grafana" | >= 7.0.0 < 7.3.10 Search vendor "Grafana" for product "Grafana" and version " >= 7.0.0 < 7.3.10" | enterprise |
Affected
| ||||||
Grafana Search vendor "Grafana" | Grafana Search vendor "Grafana" for product "Grafana" | >= 7.4.0 < 7.4.5 Search vendor "Grafana" for product "Grafana" and version " >= 7.4.0 < 7.4.5" | enterprise |
Affected
|