The team sync HTTP API in Grafana Enterprise 7.4.x before 7.4.5 has an Incorrect Access Control issue. On Grafana instances using an external authentication service, this vulnerability allows any authenticated user to add external groups to existing teams. This can be used to grant a user team permissions that the user isn't supposed to have.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2021-03-22T14:00:36

Updated: 2024-08-03T21:33:17.416Z

Reserved: 2021-03-11T00:00:00

Link: CVE-2021-28146

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2021-03-22T14:15:14.100

Modified: 2024-11-21T05:59:10.723

Link: CVE-2021-28146

cve-icon Redhat

Severity : Important

Publid Date: 2021-03-18T13:00:00Z

Links: CVE-2021-28146 - Bugzilla