CVE-2021-28146 - OpenCVE

The team sync HTTP API in Grafana Enterprise 7.4.x before 7.4.5 has an Incorrect Access Control issue. On Grafana instances using an external authentication service, this vulnerability allows any authenticated user to add external groups to existing teams. This can be used to grant a user team permissions that the user isn't supposed to have.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:S/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Grafana	Grafana

Configuration 1 [-]

cpe:2.3:a:grafana:grafana:*:*:*:*:enterprise:*:*:*

References

Link	Resource
https://community.grafana.com/t/grafana-enterprise-6-7-6-7-3-10-and-7-4-5-security-update/44724	Vendor Advisory
https://community.grafana.com/t/release-notes-v6-7-x/27119	Release Notes Vendor Advisory
https://grafana.com/blog/2021/03/18/grafana-6.7.6-7.3.10-and-7.4.5-released-with-important-security-fixes-for-grafana-enterprise/	Release Notes Vendor Advisory
https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-3-10/	Release Notes Vendor Advisory
https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-4-5/	Release Notes Vendor Advisory
https://grafana.com/products/enterprise/	Product Vendor Advisory
https://www.openwall.com/lists/oss-security/2021/03/19/5	Mailing List Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2021-03-22T14:00:36

Updated: 2021-03-22T14:28:35

Reserved: 2021-03-11T00:00:00

Link: CVE-2021-28146

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-03-22T14:15:14.100

Modified: 2021-03-26T17:17:33.470

Link: CVE-2021-28146

JSON object: View

Redhat Information

No data.

CWE

CWE-863

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "The team sync HTTP API in Grafana Enterprise 7.4.x before 7.4.5 has an Incorrect Access Control issue. On Grafana instances using an external authentication service, this vulnerability allows any authenticated user to add external groups to existing teams. This can be used to grant a user team permissions that the user isn't supposed to have."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-03-22T14:28:35", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://community.grafana.com/t/release-notes-v6-7-x/27119"}, {"tags": ["x_refsource_MISC"], "url": "https://grafana.com/products/enterprise/"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.openwall.com/lists/oss-security/2021/03/19/5"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://grafana.com/blog/2021/03/18/grafana-6.7.6-7.3.10-and-7.4.5-released-with-important-security-fixes-for-grafana-enterprise/"}, {"tags": ["x_refsource_MISC"], "url": "https://community.grafana.com/t/grafana-enterprise-6-7-6-7-3-10-and-7-4-5-security-update/44724"}, {"tags": ["x_refsource_MISC"], "url": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-3-10/"}, {"tags": ["x_refsource_MISC"], "url": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-4-5/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2021-28146", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The team sync HTTP API in Grafana Enterprise 7.4.x before 7.4.5 has an Incorrect Access Control issue. On Grafana instances using an external authentication service, this vulnerability allows any authenticated user to add external groups to existing teams. This can be used to grant a user team permissions that the user isn't supposed to have."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://community.grafana.com/t/release-notes-v6-7-x/27119", "refsource": "MISC", "url": "https://community.grafana.com/t/release-notes-v6-7-x/27119"}, {"name": "https://grafana.com/products/enterprise/", "refsource": "MISC", "url": "https://grafana.com/products/enterprise/"}, {"name": "https://www.openwall.com/lists/oss-security/2021/03/19/5", "refsource": "CONFIRM", "url": "https://www.openwall.com/lists/oss-security/2021/03/19/5"}, {"name": "https://grafana.com/blog/2021/03/18/grafana-6.7.6-7.3.10-and-7.4.5-released-with-important-security-fixes-for-grafana-enterprise/", "refsource": "CONFIRM", "url": "https://grafana.com/blog/2021/03/18/grafana-6.7.6-7.3.10-and-7.4.5-released-with-important-security-fixes-for-grafana-enterprise/"}, {"name": "https://community.grafana.com/t/grafana-enterprise-6-7-6-7-3-10-and-7-4-5-security-update/44724", "refsource": "MISC", "url": "https://community.grafana.com/t/grafana-enterprise-6-7-6-7-3-10-and-7-4-5-security-update/44724"}, {"name": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-3-10/", "refsource": "MISC", "url": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-3-10/"}, {"name": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-4-5/", "refsource": "MISC", "url": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-4-5/"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-28146", "datePublished": "2021-03-22T14:00:36", "dateReserved": "2021-03-11T00:00:00", "dateUpdated": "2021-03-22T14:28:35", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "7CFD90C0-68A4-40F8-82FF-4B161A38C378", "versionEndExcluding": "7.4.5", "versionStartIncluding": "7.4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The team sync HTTP API in Grafana Enterprise 7.4.x before 7.4.5 has an Incorrect Access Control issue. On Grafana instances using an external authentication service, this vulnerability allows any authenticated user to add external groups to existing teams. This can be used to grant a user team permissions that the user isn't supposed to have."}, {"lang": "es", "value": "La API HTTP de sincronizaci\u00f3n de equipo en Grafana Enterprise versiones 7.4.x anteriores a 7.4.5, presenta un problema de Control de Acceso Incorrecto. En las instancias de Grafana que usan un servicio de autenticaci\u00f3n externo, esta vulnerabilidad permite a cualquier usuario autenticado agregar grupos externos a los equipos existentes. Esto puede ser usado para otorgar a un equipo de usuarios permisos que se supone que el usuario no debe tener"}], "id": "CVE-2021-28146", "lastModified": "2021-03-26T17:17:33.470", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-03-22T14:15:14.100", "references": [{"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://community.grafana.com/t/grafana-enterprise-6-7-6-7-3-10-and-7-4-5-security-update/44724"}, {"source": "cve@mitre.org", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://community.grafana.com/t/release-notes-v6-7-x/27119"}, {"source": "cve@mitre.org", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://grafana.com/blog/2021/03/18/grafana-6.7.6-7.3.10-and-7.4.5-released-with-important-security-fixes-for-grafana-enterprise/"}, {"source": "cve@mitre.org", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-3-10/"}, {"source": "cve@mitre.org", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-4-5/"}, {"source": "cve@mitre.org", "tags": ["Product", "Vendor Advisory"], "url": "https://grafana.com/products/enterprise/"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://www.openwall.com/lists/oss-security/2021/03/19/5"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "nvd@nist.gov", "type": "Primary"}]}