{"api_version":"1","generated_at":"2026-04-23T06:19:34+00:00","cve":"CVE-2021-28148","urls":{"html":"https://cve.report/CVE-2021-28148","api":"https://cve.report/api/cve/CVE-2021-28148.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-28148","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-28148"},"summary":{"title":"CVE-2021-28148","description":"One of the usage insights HTTP API endpoints in Grafana Enterprise 6.x before 6.7.6, 7.x before 7.3.10, and 7.4.x before 7.4.5 is accessible without any authentication. This allows any unauthenticated user to send an unlimited number of requests to the endpoint, leading to a denial of service (DoS) attack against a Grafana Enterprise instance.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2021-03-22 15:15:00","updated_at":"2022-07-12 17:42:00"},"problem_types":["CWE-306"],"metrics":[],"references":[{"url":"https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-4-5/","name":"https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-4-5/","refsource":"MISC","tags":[],"title":"Release notes for Grafana 7.4.5  | Grafana Labs","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://grafana.com/blog/2021/03/18/grafana-6.7.6-7.3.10-and-7.4.5-released-with-important-security-fixes-for-grafana-enterprise/","name":"https://grafana.com/blog/2021/03/18/grafana-6.7.6-7.3.10-and-7.4.5-released-with-important-security-fixes-for-grafana-enterprise/","refsource":"CONFIRM","tags":[],"title":"Grafana 6.7.6, 7.3.10, and 7.4.5 released with important security fixes for Grafana Enterprise  | Grafana Labs","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://grafana.com/products/enterprise/","name":"https://grafana.com/products/enterprise/","refsource":"MISC","tags":[],"title":"Grafana Enterprise | Grafana Labs","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://security.netapp.com/advisory/ntap-20210430-0005/","name":"https://security.netapp.com/advisory/ntap-20210430-0005/","refsource":"CONFIRM","tags":[],"title":"March 2021 Grafana Vulnerabilities in NetApp Products | NetApp Product Security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.openwall.com/lists/oss-security/2021/03/19/5","name":"https://www.openwall.com/lists/oss-security/2021/03/19/5","refsource":"CONFIRM","tags":[],"title":"oss-security - Grafana 7.4.5, 7.3.10 and 6.7.6 released with security fixes for\n Grafana Enterprose","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-3-10/","name":"https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-3-10/","refsource":"MISC","tags":[],"title":"Release notes for Grafana 7.3.10  | Grafana Labs","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://community.grafana.com/t/release-notes-v6-7-x/27119","name":"https://community.grafana.com/t/release-notes-v6-7-x/27119","refsource":"MISC","tags":[],"title":"Release Notes v6.7.x - Releases - Grafana Community","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://community.grafana.com/t/grafana-enterprise-6-7-6-7-3-10-and-7-4-5-security-update/44724","name":"https://community.grafana.com/t/grafana-enterprise-6-7-6-7-3-10-and-7-4-5-security-update/44724","refsource":"MISC","tags":[],"title":"Grafana Enterprise 6.7.6, 7.3.10 and 7.4.5 Security Update - Security Announcements - Grafana Labs Community Forums","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-28148","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-28148","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2021","cve_id":"28148","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"grafana","cpe5":"grafana","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"enterprise","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2021-28148","qid":"501864","title":"Alpine Linux Security Update for grafana"},{"cve":"CVE-2021-28148","qid":"730073","title":"Grafana Enterprise Multiple Security Vulnerabilities"},{"cve":"CVE-2021-28148","qid":"750959","title":"OpenSUSE Security Update for SUSE Manager Client Tools (openSUSE-SU-2021:2675-1)"},{"cve":"CVE-2021-28148","qid":"750960","title":"OpenSUSE Security Update for grafana (openSUSE-SU-2021:2662-1)"},{"cve":"CVE-2021-28148","qid":"750964","title":"OpenSUSE Security Update for grafana (openSUSE-SU-2021:1148-1)"},{"cve":"CVE-2021-28148","qid":"750980","title":"OpenSUSE Security Update for SUSE Manager Client Tools (openSUSE-SU-2021:1162-1)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2021-28148","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"One of the usage insights HTTP API endpoints in Grafana Enterprise 6.x before 6.7.6, 7.x before 7.3.10, and 7.4.x before 7.4.5 is accessible without any authentication. This allows any unauthenticated user to send an unlimited number of requests to the endpoint, leading to a denial of service (DoS) attack against a Grafana Enterprise instance."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"refsource":"MISC","name":"https://community.grafana.com/t/release-notes-v6-7-x/27119","url":"https://community.grafana.com/t/release-notes-v6-7-x/27119"},{"url":"https://grafana.com/products/enterprise/","refsource":"MISC","name":"https://grafana.com/products/enterprise/"},{"refsource":"CONFIRM","name":"https://www.openwall.com/lists/oss-security/2021/03/19/5","url":"https://www.openwall.com/lists/oss-security/2021/03/19/5"},{"refsource":"CONFIRM","name":"https://grafana.com/blog/2021/03/18/grafana-6.7.6-7.3.10-and-7.4.5-released-with-important-security-fixes-for-grafana-enterprise/","url":"https://grafana.com/blog/2021/03/18/grafana-6.7.6-7.3.10-and-7.4.5-released-with-important-security-fixes-for-grafana-enterprise/"},{"refsource":"MISC","name":"https://community.grafana.com/t/grafana-enterprise-6-7-6-7-3-10-and-7-4-5-security-update/44724","url":"https://community.grafana.com/t/grafana-enterprise-6-7-6-7-3-10-and-7-4-5-security-update/44724"},{"refsource":"MISC","name":"https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-3-10/","url":"https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-3-10/"},{"refsource":"MISC","name":"https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-4-5/","url":"https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-4-5/"},{"refsource":"CONFIRM","name":"https://security.netapp.com/advisory/ntap-20210430-0005/","url":"https://security.netapp.com/advisory/ntap-20210430-0005/"}]}},"nvd":{"publishedDate":"2021-03-22 15:15:00","lastModifiedDate":"2022-07-12 17:42:00","problem_types":["CWE-306"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:N/I:N/A:P","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"PARTIAL","baseScore":5},"severity":"MEDIUM","exploitabilityScore":10,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:grafana:grafana:*:*:*:*:enterprise:*:*:*","versionStartIncluding":"7.4.0","versionEndExcluding":"7.4.5","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:grafana:grafana:*:*:*:*:enterprise:*:*:*","versionStartIncluding":"6.0.0","versionEndExcluding":"6.7.6","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:grafana:grafana:*:*:*:*:enterprise:*:*:*","versionStartIncluding":"7.0.0","versionEndExcluding":"7.3.10","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"28148","Ordinal":"203303","Title":"CVE-2021-28148","CVE":"CVE-2021-28148","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"28148","Ordinal":"1","NoteData":"One of the usage insights HTTP API endpoints in Grafana Enterprise 6.x before 6.7.6, 7.x before 7.3.10, and 7.4.x before 7.4.5 is accessible without any authentication. This allows any unauthenticated user to send an unlimited number of requests to the endpoint, leading to a denial of service (DoS) attack against a Grafana Enterprise instance.","Type":"Description","Title":null},{"CveYear":"2021","CveId":"28148","Ordinal":"2","NoteData":"2021-03-22","Type":"Other","Title":"Published"},{"CveYear":"2021","CveId":"28148","Ordinal":"3","NoteData":"2021-04-30","Type":"Other","Title":"Modified"}]}}}