CVE-2021-41244
Cross organization admin control in Grafana
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Grafana is an open-source platform for monitoring and observability. In affected versions when the fine-grained access control beta feature is enabled and there is more than one organization in the Grafana instance admins are able to access users from other organizations. Grafana 8.0 introduced a mechanism which allowed users with the Organization Admin role to list, add, remove, and update users’ roles in other organizations in which they are not an admin. With fine-grained access control enabled, organization admins can list, add, remove and update users' roles in another organization, where they do not have organization admin role. All installations between v8.0 and v8.2.3 that have fine-grained access control beta enabled and more than one organization should be upgraded as soon as possible. If you cannot upgrade, you should turn off the fine-grained access control using a feature flag.
Grafana es una plataforma de código abierto para la monitorización y la observabilidad. En las versiones afectadas, cuando la función beta de control de acceso de grano fino está habilitada y presenta más de una organización en la instancia de Grafana, los administradores pueden acceder a usuarios de otras organizaciones. Grafana versión 8.0 introdujo un mecanismo que permitía a usuarios con el rol de administrador de la organización listar, añadir, eliminar y actualizar los roles de los usuarios en otras organizaciones en las que no son administradores. Con el control de acceso de grano fino habilitado, los administradores de la organización pueden listar, añadir, eliminar y actualizar los roles de los usuarios en otra organización, donde no tienen el rol de administrador de la organización. Todas las instalaciones entre la v8.0 y la v8.2.3 que tengan habilitado el control de acceso detallado beta y más de una organización deben actualizarse lo antes posible. Si no es posible actualizar, es debido deshabilitar el control de acceso de grano fino usando un flag de función
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-09-15 CVE Reserved
- 2021-11-15 CVE Published
- 2023-10-02 EPSS Updated
- 2024-08-04 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-610: Externally Controlled Reference to a Resource in Another Sphere
- CWE-863: Incorrect Authorization
CAPEC
References (4)
URL | Tag | Source |
---|---|---|
http://www.openwall.com/lists/oss-security/2021/11/15/1 | Mailing List | |
https://github.com/grafana/grafana/security/advisories/GHSA-mpwp-42x6-4wmx | Third Party Advisory | |
https://security.netapp.com/advisory/ntap-20211223-0001 | Third Party Advisory |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://grafana.com/blog/2021/11/15/grafana-8.2.4-released-with-security-fixes | 2022-03-31 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Grafana Search vendor "Grafana" | Grafana Search vendor "Grafana" for product "Grafana" | >= 8.0.0 < 8.2.4 Search vendor "Grafana" for product "Grafana" and version " >= 8.0.0 < 8.2.4" | - |
Affected
|