CVE-2021-41244

Cross organization admin control in Grafana

Severity Score

7.2

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Grafana is an open-source platform for monitoring and observability. In affected versions when the fine-grained access control beta feature is enabled and there is more than one organization in the Grafana instance admins are able to access users from other organizations. Grafana 8.0 introduced a mechanism which allowed users with the Organization Admin role to list, add, remove, and update users’ roles in other organizations in which they are not an admin. With fine-grained access control enabled, organization admins can list, add, remove and update users' roles in another organization, where they do not have organization admin role. All installations between v8.0 and v8.2.3 that have fine-grained access control beta enabled and more than one organization should be upgraded as soon as possible. If you cannot upgrade, you should turn off the fine-grained access control using a feature flag.

Grafana es una plataforma de código abierto para la monitorización y la observabilidad. En las versiones afectadas, cuando la función beta de control de acceso de grano fino está habilitada y presenta más de una organización en la instancia de Grafana, los administradores pueden acceder a usuarios de otras organizaciones. Grafana versión 8.0 introdujo un mecanismo que permitía a usuarios con el rol de administrador de la organización listar, añadir, eliminar y actualizar los roles de los usuarios en otras organizaciones en las que no son administradores. Con el control de acceso de grano fino habilitado, los administradores de la organización pueden listar, añadir, eliminar y actualizar los roles de los usuarios en otra organización, donde no tienen el rol de administrador de la organización. Todas las instalaciones entre la v8.0 y la v8.2.3 que tengan habilitado el control de acceso detallado beta y más de una organización deben actualizarse lo antes posible. Si no es posible actualizar, es debido deshabilitar el control de acceso de grano fino usando un flag de función

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-09-15 CVE Reserved
2021-11-15 CVE Published
2023-10-02 EPSS Updated
2024-08-04 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-610: Externally Controlled Reference to a Resource in Another Sphere
CWE-863: Incorrect Authorization

CAPEC

References (4)

URL	Tag	Source
http://www.openwall.com/lists/oss-security/2021/11/15/1	Mailing List
https://github.com/grafana/grafana/security/advisories/GHSA-mpwp-42x6-4wmx	Third Party Advisory
https://security.netapp.com/advisory/ntap-20211223-0001	Third Party Advisory

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://grafana.com/blog/2021/11/15/grafana-8.2.4-released-with-security-fixes	2022-03-31

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Grafana Search vendor "Grafana"		Grafana Search vendor "Grafana" for product "Grafana"				>= 8.0.0 < 8.2.4 Search vendor "Grafana" for product "Grafana" and version " >= 8.0.0 < 8.2.4"		-		Affected