CVE-2021-28146 - The team sync HTTP API in Grafana Enterprise 7.4.x before 7.4.5 has an Incorrect Access Control issu

CVE-2021-28146

Summary

The team sync HTTP API in Grafana Enterprise 7.4.x before 7.4.5 has an Incorrect Access Control issue. On Grafana instances using an external authentication service, this vulnerability allows any authenticated user to add external groups to existing teams. This can be used to grant a user team permissions that the user isn't supposed to have.

References

Vulnerable Configurations

cpe:2.3:a:grafana:grafana:7.4.0:*:*:*:enterprise:*:*:*
cpe:2.3:a:grafana:grafana:7.4.0:*:*:*:enterprise:*:*:*
cpe:2.3:a:grafana:grafana:7.4.1:*:*:*:enterprise:*:*:*
cpe:2.3:a:grafana:grafana:7.4.1:*:*:*:enterprise:*:*:*
cpe:2.3:a:grafana:grafana:7.4.2:*:*:*:enterprise:*:*:*
cpe:2.3:a:grafana:grafana:7.4.2:*:*:*:enterprise:*:*:*
cpe:2.3:a:grafana:grafana:7.4.3:*:*:*:enterprise:*:*:*
cpe:2.3:a:grafana:grafana:7.4.3:*:*:*:enterprise:*:*:*
cpe:2.3:a:grafana:grafana:7.4.4:*:*:*:enterprise:*:*:*
cpe:2.3:a:grafana:grafana:7.4.4:*:*:*:enterprise:*:*:*

CVSS

Base:	4.0 (as of 26-03-2021 - 17:17)
Impact:
Exploitability:

CWE

CWE-863

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	SINGLE

Impact

Confidentiality	Integrity	Availability
NONE	PARTIAL	NONE

cvss-vector via4

AV:N/AC:L/Au:S/C:N/I:P/A:N

Last major update

26-03-2021 - 17:17

Published

22-03-2021 - 14:15

Last modified

26-03-2021 - 17:17