QID 730073
Date Published: 2021-05-20
QID 730073: Grafana Enterprise Multiple Security Vulnerabilities
Grafana is an open-source, general purpose dashboard and graph composer, which runs as a web application.
Affected By Below Vulnerabilies:
CVE-2021-28147: On Grafana instances using an external authentication service and having the EditorsCanAdmin feature enabled, this vulnerability allows any authenticated user to add external groups to any existing team.
CVE-2021-27962: Allows a dashboard editor to bypass a permission check concerning a data source they should not be able to access.
CVE-2021-28148: This allows any unauthenticated user to send an unlimited number of requests to the endpoint, leading to a denial of service (DoS) attack against a Grafana Enterprise instance.
CVE-2021-28146: On Grafana instances using an external authentication service, this vulnerability allows any authenticated user to add external groups to existing teams. This can be used to grant a user team permissions that the user isn't supposed to have.
Affected Versions:
Grafana Enterprise 7.4.x before 7.4.5
Grafana Enterprise 7.3.x before 7.3.10
Grafana Enterprise 6.3.x before 6.7.6
QID Detection Logic:
This QID checks for vulnerable version of Grafana Enterprise.
Successful exploitation could allows to affects integrity, availability and confidentiality.
- Grafana release note 6.7.6 -
community.grafana.com/t/release-notes-v6-7-x/27119 - Grafana release note 7.3.10 -
grafana.com/docs/grafana/latest/release-notes/release-notes-7-3-10/ - Grafana release note 7.4.5 -
grafana.com/docs/grafana/latest/release-notes/release-notes-7-4-5/
CVEs related to QID 730073
| Advisory ID | Software | Component | Link |
|---|---|---|---|
| Grafana release note 6.7.6 |
community.grafana.com/t/release-notes-v6-7-x/27119 |
||
| Grafana release note 7.3.10 |
grafana.com/docs/grafana/latest/release-notes/release-notes-7-4-5/ |
||
| Grafana release note 7.4.5 |
grafana.com/docs/grafana/latest/release-notes/release-notes-7-4-5/ |