The team sync HTTP API in Grafana Enterprise 7.4.x before 7.4.5 has an Incorrect Access Control issue. On Grafana instances using an external authentication service, this vulnerability allows any authenticated user to add external groups to existing teams. This can be used to grant a user team permissions that the user isn't supposed to have.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: mitre
Published: 2021-03-22T14:00:36
Updated: 2024-08-03T21:33:17.416Z
Reserved: 2021-03-11T00:00:00
Link: CVE-2021-28146
Vulnrichment
No data.
NVD
Status : Modified
Published: 2021-03-22T14:15:14.100
Modified: 2024-11-21T05:59:10.723
Link: CVE-2021-28146
Redhat