cnvd - cnvd-2022-06914

cnvd-2022-06914

Vulnerability from cnvd

Title: Grafana存在未明漏洞

Description:

Grafana是Grafana实验室的一套提供可视化监控界面的开源监控工具。该工具主要用于监控和分析Graphite、InfluxDB和Prometheus等。

Grafana存在安全漏洞，该漏洞源于在受影响的版本中，当启用细粒度访问控制测试版功能并且Grafana实例中有多个组织时，管理员可以访问来自其他组织的用户。攻击者可利用该漏洞列出、添加、删除和更新其他组织中没有组织管理员角色的用户角色。

Severity: 中

Patch Name: Grafana存在未明漏洞的补丁

Patch Description:

Grafana是Grafana实验室的一套提供可视化监控界面的开源监控工具。该工具主要用于监控和分析Graphite、InfluxDB和Prometheus等。

Grafana存在安全漏洞，该漏洞源于在受影响的版本中，当启用细粒度访问控制测试版功能并且Grafana实例中有多个组织时，管理员可以访问来自其他组织的用户。攻击者可利用该漏洞列出、添加、删除和更新其他组织中没有组织管理员角色的用户角色。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://github.com/grafana/grafana/security/advisories/GHSA-mpwp-42x6-4wmx

Reference: https://nvd.nist.gov/vuln/detail/CVE-2021-41244

Impacted products

Name
Grafana Grafana >=8.0.0，<8.2.4

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-41244"
    }
  },
  "description": "Grafana\u662fGrafana\u5b9e\u9a8c\u5ba4\u7684\u4e00\u5957\u63d0\u4f9b\u53ef\u89c6\u5316\u76d1\u63a7\u754c\u9762\u7684\u5f00\u6e90\u76d1\u63a7\u5de5\u5177\u3002\u8be5\u5de5\u5177\u4e3b\u8981\u7528\u4e8e\u76d1\u63a7\u548c\u5206\u6790Graphite\u3001InfluxDB\u548cPrometheus\u7b49\u3002\n\nGrafana\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5728\u53d7\u5f71\u54cd\u7684\u7248\u672c\u4e2d\uff0c\u5f53\u542f\u7528\u7ec6\u7c92\u5ea6\u8bbf\u95ee\u63a7\u5236\u6d4b\u8bd5\u7248\u529f\u80fd\u5e76\u4e14Grafana\u5b9e\u4f8b\u4e2d\u6709\u591a\u4e2a\u7ec4\u7ec7\u65f6\uff0c\u7ba1\u7406\u5458\u53ef\u4ee5\u8bbf\u95ee\u6765\u81ea\u5176\u4ed6\u7ec4\u7ec7\u7684\u7528\u6237\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5217\u51fa\u3001\u6dfb\u52a0\u3001\u5220\u9664\u548c\u66f4\u65b0\u5176\u4ed6\u7ec4\u7ec7\u4e2d\u6ca1\u6709\u7ec4\u7ec7\u7ba1\u7406\u5458\u89d2\u8272\u7684\u7528\u6237\u89d2\u8272\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://github.com/grafana/grafana/security/advisories/GHSA-mpwp-42x6-4wmx",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2022-06914",
  "openTime": "2022-01-26",
  "patchDescription": "Grafana\u662fGrafana\u5b9e\u9a8c\u5ba4\u7684\u4e00\u5957\u63d0\u4f9b\u53ef\u89c6\u5316\u76d1\u63a7\u754c\u9762\u7684\u5f00\u6e90\u76d1\u63a7\u5de5\u5177\u3002\u8be5\u5de5\u5177\u4e3b\u8981\u7528\u4e8e\u76d1\u63a7\u548c\u5206\u6790Graphite\u3001InfluxDB\u548cPrometheus\u7b49\u3002\r\n\r\nGrafana\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5728\u53d7\u5f71\u54cd\u7684\u7248\u672c\u4e2d\uff0c\u5f53\u542f\u7528\u7ec6\u7c92\u5ea6\u8bbf\u95ee\u63a7\u5236\u6d4b\u8bd5\u7248\u529f\u80fd\u5e76\u4e14Grafana\u5b9e\u4f8b\u4e2d\u6709\u591a\u4e2a\u7ec4\u7ec7\u65f6\uff0c\u7ba1\u7406\u5458\u53ef\u4ee5\u8bbf\u95ee\u6765\u81ea\u5176\u4ed6\u7ec4\u7ec7\u7684\u7528\u6237\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5217\u51fa\u3001\u6dfb\u52a0\u3001\u5220\u9664\u548c\u66f4\u65b0\u5176\u4ed6\u7ec4\u7ec7\u4e2d\u6ca1\u6709\u7ec4\u7ec7\u7ba1\u7406\u5458\u89d2\u8272\u7684\u7528\u6237\u89d2\u8272\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Grafana\u5b58\u5728\u672a\u660e\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Grafana Grafana \u003e=8.0.0\uff0c\u003c8.2.4"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2021-41244",
  "serverity": "\u4e2d",
  "submitTime": "2021-11-17",
  "title": "Grafana\u5b58\u5728\u672a\u660e\u6f0f\u6d1e"
}

CVE-2021-41244 (GCVE-0-2021-41244)

Vulnerability from cvelistv5

Published

2021-11-15 20:05

Modified

2024-08-04 03:08

Severity ?

9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-610 - Externally Controlled Reference to a Resource in Another Sphere

Summary

Grafana is an open-source platform for monitoring and observability. In affected versions when the fine-grained access control beta feature is enabled and there is more than one organization in the Grafana instance admins are able to access users from other organizations. Grafana 8.0 introduced a mechanism which allowed users with the Organization Admin role to list, add, remove, and update users’ roles in other organizations in which they are not an admin. With fine-grained access control enabled, organization admins can list, add, remove and update users' roles in another organization, where they do not have organization admin role. All installations between v8.0 and v8.2.3 that have fine-grained access control beta enabled and more than one organization should be upgraded as soon as possible. If you cannot upgrade, you should turn off the fine-grained access control using a feature flag.

References

▼	URL	Tags
	https://github.com/grafana/grafana/security/advisories/GHSA-mpwp-42x6-4wmx	x_refsource_CONFIRM
	https://grafana.com/blog/2021/11/15/grafana-8.2.4-released-with-security-fixes/	x_refsource_MISC
	http://www.openwall.com/lists/oss-security/2021/11/15/1	mailing-list, x_refsource_MLIST
	https://security.netapp.com/advisory/ntap-20211223-0001/	x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	grafana	grafana	Version: >= 8.0.0, < 8.2.4

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T03:08:31.510Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/grafana/grafana/security/advisories/GHSA-mpwp-42x6-4wmx"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://grafana.com/blog/2021/11/15/grafana-8.2.4-released-with-security-fixes/"
          },
          {
            "name": "[oss-security] 20211115 Grafana 8.2.4 released with security fixes",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2021/11/15/1"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20211223-0001/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "grafana",
          "vendor": "grafana",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 8.0.0, \u003c 8.2.4"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Grafana is an open-source platform for monitoring and observability. In affected versions when the fine-grained access control beta feature is enabled and there is more than one organization in the Grafana instance admins are able to access users from other organizations. Grafana 8.0 introduced a mechanism which allowed users with the Organization Admin role to list, add, remove, and update users\u2019 roles in other organizations in which they are not an admin. With fine-grained access control enabled, organization admins can list, add, remove and update users\u0027 roles in another organization, where they do not have organization admin role. All installations between v8.0 and v8.2.3 that have fine-grained access control beta enabled and more than one organization should be upgraded as soon as possible. If you cannot upgrade, you should turn off the fine-grained access control using a feature flag."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-610",
              "description": "CWE-610: Externally Controlled Reference to a Resource in Another Sphere",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-12-23T12:07:05",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/grafana/grafana/security/advisories/GHSA-mpwp-42x6-4wmx"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://grafana.com/blog/2021/11/15/grafana-8.2.4-released-with-security-fixes/"
        },
        {
          "name": "[oss-security] 20211115 Grafana 8.2.4 released with security fixes",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2021/11/15/1"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20211223-0001/"
        }
      ],
      "source": {
        "advisory": "GHSA-mpwp-42x6-4wmx",
        "discovery": "UNKNOWN"
      },
      "title": "Cross organization admin control in Grafana",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2021-41244",
          "STATE": "PUBLIC",
          "TITLE": "Cross organization admin control in Grafana"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "grafana",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003e= 8.0.0, \u003c 8.2.4"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "grafana"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Grafana is an open-source platform for monitoring and observability. In affected versions when the fine-grained access control beta feature is enabled and there is more than one organization in the Grafana instance admins are able to access users from other organizations. Grafana 8.0 introduced a mechanism which allowed users with the Organization Admin role to list, add, remove, and update users\u2019 roles in other organizations in which they are not an admin. With fine-grained access control enabled, organization admins can list, add, remove and update users\u0027 roles in another organization, where they do not have organization admin role. All installations between v8.0 and v8.2.3 that have fine-grained access control beta enabled and more than one organization should be upgraded as soon as possible. If you cannot upgrade, you should turn off the fine-grained access control using a feature flag."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-610: Externally Controlled Reference to a Resource in Another Sphere"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/grafana/grafana/security/advisories/GHSA-mpwp-42x6-4wmx",
              "refsource": "CONFIRM",
              "url": "https://github.com/grafana/grafana/security/advisories/GHSA-mpwp-42x6-4wmx"
            },
            {
              "name": "https://grafana.com/blog/2021/11/15/grafana-8.2.4-released-with-security-fixes/",
              "refsource": "MISC",
              "url": "https://grafana.com/blog/2021/11/15/grafana-8.2.4-released-with-security-fixes/"
            },
            {
              "name": "[oss-security] 20211115 Grafana 8.2.4 released with security fixes",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2021/11/15/1"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20211223-0001/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20211223-0001/"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-mpwp-42x6-4wmx",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2021-41244",
    "datePublished": "2021-11-15T20:05:11",
    "dateReserved": "2021-09-15T00:00:00",
    "dateUpdated": "2024-08-04T03:08:31.510Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted