CVE-2021-28147

The team sync HTTP API in Grafana Enterprise 6.x before 6.7.6, 7.x before 7.3.10, and 7.4.x before 7.4.5 has an Incorrect Access Control issue. On Grafana instances using an external authentication service and having the EditorsCanAdmin feature enabled, this vulnerability allows any authenticated user to add external groups to any existing team. This can be used to grant a user team permissions that the user isn't supposed to have.

Published: Mar 22, 2021
Updated: Apr 14, 2023
CVE: CVE-2021-28147
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.5
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CVSS v2:

Severity: Low
Score: 3.5
AV:N/AC:M/Au:S/C:N/I:P/A:N

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
grafana / grafana	7.4.0	7.4.5
grafana / grafana	6.0.0	6.7.6
grafana / grafana	7.0.0	7.3.10

https://community.grafana.com/t/grafana-enterprise-6-7-6-7-3-10-and-7-4-5-security-update/44724
https://community.grafana.com/t/release-notes-v6-7-x/27119
https://grafana.com/blog/2021/03/18/grafana-6.7.6-7.3.10-and-7.4.5-released-with-important-security-fixes-for-grafana-enterprise/
https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-3-10/
https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-4-5/
https://grafana.com/products/enterprise/
https://security.netapp.com/advisory/ntap-20210430-0005/
https://www.openwall.com/lists/oss-security/2021/03/19/5

Vulnerability Database

289,689

CVE-2021-28147