CVE-2021-28146

Source
https://nvd.nist.gov/vuln/detail/CVE-2021-28146
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-28146.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-28146
Aliases
Related
Published
2021-03-22T14:15:14Z
Modified
2024-06-06T13:40:05.017470Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
[none]
Details

The team sync HTTP API in Grafana Enterprise 7.4.x before 7.4.5 has an Incorrect Access Control issue. On Grafana instances using an external authentication service, this vulnerability allows any authenticated user to add external groups to existing teams. This can be used to grant a user team permissions that the user isn't supposed to have.

References

Affected packages

Git / github.com/grafana/grafana

Affected ranges

Type
GIT
Repo
https://github.com/grafana/grafana
Events

Affected versions

v7.*

v7.4.0
v7.4.1
v7.4.2
v7.4.3
v7.4.4