VDB
BIT-grafana-2021-28147
BIT-grafana-2021-28147
PUBLISHED
CVSS 6.5 MEDIUM
The team sync HTTP API in Grafana Enterprise 6.x before 6.7.6, 7.x before 7.3.10, and 7.4.x before 7.4.5 has an Incorrect Access Control issue. On Grafana instances using an external authentication service and having the EditorsCanAdmin feature enabled, this vulnerability allows any authenticated user to add external groups to any existing team. This can be used to grant a user team permissions that the user isn't supposed to have.
Risk Scores
CVSS v3.1
6.5
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Bitnami | grafana | 6.0.0, 7.0.0, 7.4.0 |
Timeline
- Mar 6, 2024 CVE Published
- Apr 3, 2025 CVE Updated
References
- https://community.grafana.com/t/grafana-enterprise-6-7-6-7-3-10-and-7-4-5-security-update/44724 url
- https://community.grafana.com/t/release-notes-v6-7-x/27119 url
- https://grafana.com/blog/2021/03/18/grafana-6.7.6-7.3.10-and-7.4.5-released-with-important-security-fixes-for-grafana-enterprise/ url
- https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-3-10/ url
- https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-4-5/ url
- https://grafana.com/products/enterprise/ url
- https://security.netapp.com/advisory/ntap-20210430-0005/ url
- https://www.openwall.com/lists/oss-security/2021/03/19/5 url
- https://nvd.nist.gov/vuln/detail/CVE-2021-28147 url