{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "The team sync HTTP API in Grafana Enterprise 6.x before 6.7.6, 7.x before 7.3.10, and 7.4.x before 7.4.5 has an Incorrect Access Control issue. On Grafana instances using an external authentication service and having the EditorsCanAdmin feature enabled, this vulnerability allows any authenticated user to add external groups to any existing team. This can be used to grant a user team permissions that the user isn't supposed to have."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-04-30T07:06:31", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://community.grafana.com/t/release-notes-v6-7-x/27119"}, {"tags": ["x_refsource_MISC"], "url": "https://grafana.com/products/enterprise/"}, {"tags": ["x_refsource_MISC"], "url": "https://www.openwall.com/lists/oss-security/2021/03/19/5"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://grafana.com/blog/2021/03/18/grafana-6.7.6-7.3.10-and-7.4.5-released-with-important-security-fixes-for-grafana-enterprise/"}, {"tags": ["x_refsource_MISC"], "url": "https://community.grafana.com/t/grafana-enterprise-6-7-6-7-3-10-and-7-4-5-security-update/44724"}, {"tags": ["x_refsource_MISC"], "url": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-3-10/"}, {"tags": ["x_refsource_MISC"], "url": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-4-5/"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20210430-0005/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2021-28147", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The team sync HTTP API in Grafana Enterprise 6.x before 6.7.6, 7.x before 7.3.10, and 7.4.x before 7.4.5 has an Incorrect Access Control issue. On Grafana instances using an external authentication service and having the EditorsCanAdmin feature enabled, this vulnerability allows any authenticated user to add external groups to any existing team. This can be used to grant a user team permissions that the user isn't supposed to have."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://community.grafana.com/t/release-notes-v6-7-x/27119", "refsource": "MISC", "url": "https://community.grafana.com/t/release-notes-v6-7-x/27119"}, {"name": "https://grafana.com/products/enterprise/", "refsource": "MISC", "url": "https://grafana.com/products/enterprise/"}, {"name": "https://www.openwall.com/lists/oss-security/2021/03/19/5", "refsource": "MISC", "url": "https://www.openwall.com/lists/oss-security/2021/03/19/5"}, {"name": "https://grafana.com/blog/2021/03/18/grafana-6.7.6-7.3.10-and-7.4.5-released-with-important-security-fixes-for-grafana-enterprise/", "refsource": "CONFIRM", "url": "https://grafana.com/blog/2021/03/18/grafana-6.7.6-7.3.10-and-7.4.5-released-with-important-security-fixes-for-grafana-enterprise/"}, {"name": "https://community.grafana.com/t/grafana-enterprise-6-7-6-7-3-10-and-7-4-5-security-update/44724", "refsource": "MISC", "url": "https://community.grafana.com/t/grafana-enterprise-6-7-6-7-3-10-and-7-4-5-security-update/44724"}, {"name": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-3-10/", "refsource": "MISC", "url": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-3-10/"}, {"name": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-4-5/", "refsource": "MISC", "url": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-4-5/"}, {"name": "https://security.netapp.com/advisory/ntap-20210430-0005/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20210430-0005/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T21:40:12.004Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://community.grafana.com/t/release-notes-v6-7-x/27119"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://grafana.com/products/enterprise/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.openwall.com/lists/oss-security/2021/03/19/5"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://grafana.com/blog/2021/03/18/grafana-6.7.6-7.3.10-and-7.4.5-released-with-important-security-fixes-for-grafana-enterprise/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://community.grafana.com/t/grafana-enterprise-6-7-6-7-3-10-and-7-4-5-security-update/44724"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-3-10/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-4-5/"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://security.netapp.com/advisory/ntap-20210430-0005/"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-28147", "datePublished": "2021-03-22T14:03:53", "dateReserved": "2021-03-11T00:00:00", "dateUpdated": "2024-08-03T21:40:12.004Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "57D0867F-AE3E-4527-B891-CE8DD0CC4536", "versionEndExcluding": "6.7.6", "versionStartIncluding": "6.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "B3EB7759-355F-4E65-8227-1BB21F74C167", "versionEndExcluding": "7.3.10", "versionStartIncluding": "7.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "7CFD90C0-68A4-40F8-82FF-4B161A38C378", "versionEndExcluding": "7.4.5", "versionStartIncluding": "7.4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The team sync HTTP API in Grafana Enterprise 6.x before 6.7.6, 7.x before 7.3.10, and 7.4.x before 7.4.5 has an Incorrect Access Control issue. On Grafana instances using an external authentication service and having the EditorsCanAdmin feature enabled, this vulnerability allows any authenticated user to add external groups to any existing team. This can be used to grant a user team permissions that the user isn't supposed to have."}, {"lang": "es", "value": "La API HTTP de sincronizaci\u00f3n de equipo en Grafana Enterprise versiones 6.x anteriores a 6.7.6, versiones 7.x anteriores a 7.3.10 y versiones 7.4.x anteriores a 7.4.5, presenta un problema de Control de Acceso Incorrecto. En las instancias de Grafana que usan un servicio de autenticaci\u00f3n externo y presentan habilitada la funcionalidad EditorsCanAdmin, esta vulnerabilidad permite a cualquier usuario autenticado agregar grupos externos a cualquier equipo existente. Esto puede ser usado para otorgar a un equipo de usuarios permisos que se supone que el usuario no debe tener"}], "id": "CVE-2021-28147", "lastModified": "2022-05-20T20:43:48.940", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-03-22T15:15:14.537", "references": [{"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://community.grafana.com/t/grafana-enterprise-6-7-6-7-3-10-and-7-4-5-security-update/44724"}, {"source": "cve@mitre.org", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://community.grafana.com/t/release-notes-v6-7-x/27119"}, {"source": "cve@mitre.org", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://grafana.com/blog/2021/03/18/grafana-6.7.6-7.3.10-and-7.4.5-released-with-important-security-fixes-for-grafana-enterprise/"}, {"source": "cve@mitre.org", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-3-10/"}, {"source": "cve@mitre.org", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-4-5/"}, {"source": "cve@mitre.org", "tags": ["Product", "Vendor Advisory"], "url": "https://grafana.com/products/enterprise/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20210430-0005/"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://www.openwall.com/lists/oss-security/2021/03/19/5"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "grafana: Allows to bypass access control restrictions via external groups", "id": "1938978", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1938978"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.8", "cvss3_scoring_vector": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "status": "draft"}, "cwe": "(CWE-287|CWE-863)", "details": ["The team sync HTTP API in Grafana Enterprise 6.x before 6.7.6, 7.x before 7.3.10, and 7.4.x before 7.4.5 has an Incorrect Access Control issue. On Grafana instances using an external authentication service and having the EditorsCanAdmin feature enabled, this vulnerability allows any authenticated user to add external groups to any existing team. This can be used to grant a user team permissions that the user isn't supposed to have.", "A flaw was found in Grafana Enterprise. An authenticated user can add an external group to an existing team when the editorsCanAdmin feature is enabled. The highest threat from this vulnerability is to data confidentiality."], "name": "CVE-2021-28147", "package_state": [{"cpe": "cpe:/a:redhat:service_mesh:1", "fix_state": "Not affected", "package_name": "servicemesh-grafana", "product_name": "OpenShift Service Mesh 1"}, {"cpe": "cpe:/a:redhat:service_mesh:2.0", "fix_state": "Not affected", "package_name": "servicemesh-grafana", "product_name": "OpenShift Service Mesh 2.0"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "grafana", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:ceph_storage:2", "fix_state": "Not affected", "package_name": "grafana", "product_name": "Red Hat Ceph Storage 2"}, {"cpe": "cpe:/a:redhat:ceph_storage:3", "fix_state": "Not affected", "package_name": "grafana", "product_name": "Red Hat Ceph Storage 3"}, {"cpe": "cpe:/a:redhat:ceph_storage:3", "fix_state": "Not affected", "package_name": "grafana-container", "product_name": "Red Hat Ceph Storage 3"}, {"cpe": "cpe:/a:redhat:ceph_storage:4", "fix_state": "Not affected", "package_name": "rhceph/rhceph-4-dashboard-rhel8", "product_name": "Red Hat Ceph Storage 4"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Not affected", "package_name": "openshift3/grafana", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-grafana", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Not affected", "package_name": "grafana", "product_name": "Red Hat Storage 3"}], "public_date": "2021-03-18T13:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-28147\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-28147\nhttps://github.com/grafana/grafana/blob/master/CHANGELOG.md#745-2021-03-18"], "statement": "Red Hat products do not ship Grafana Enterprise version, therefore they are not affected by this vulnerability.", "threat_severity": "Important", "upstream_fix": "Grafana Enterprise 7.4.5, Grafana Enterprise 6.7.6"}