Bug 1937278 (CVE-2021-27962)
Summary: | CVE-2021-27962 grafana: users with editor role allows to bypass data source permissions | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | msiddiqu |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED WONTFIX | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | agerstmayr, alegrand, amctagga, anharris, anpicker, bmontgom, bniver, eparis, erooth, flucifre, gghezzo, gmeno, gparvin, grafana-maint, hvyas, jburrell, jkurik, jokerman, jramanat, jweiser, jwendell, kakkoyun, kconner, lcosic, mbenjamin, mgoodwin, mhackett, nathans, nstielau, pkrupa, proguski, puebele, rcernich, security-response-team, sostapov, sponnaga, stcannon, surbania, thee, twalsh, vereddy |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Grafana Enterprise 7.4.5 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in Grafana Enterprise. Users with the Editor role are allowed to bypass data source permissions for the organization's default data source. The highest threat from this vulnerability is to data confidentiality.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-03-18 19:51:44 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1937242 |
Description
msiddiqu
2021-03-10 09:19:43 UTC
Side note: * Released RHEL-8.3 contains grafana-6.7.4 * Not yet release RHEL-8.4 contains grafana-7.3.6 Taus, can you please share more info, so we can start working on a reproducer and a fix ? (In reply to Jan Kurik from comment #2) > Taus, can you please share more info, so we can start working on a > reproducer and a fix ? Jan, Are you asking about RHEL specifically? Platforms Analysis team will create trackers if needed and they may add more information there. Yes, I was asking about grafana in RHEL. I will wait for the info from Platforms Analysis team. Thanks for the info. Statement: Red Hat products do not ship Grafana Enterprise version, therefore are not affected by this vulnerability. Mitigation: If you are using the Enterprise version of Grafana, you can mitigate this vulnerability by making sure that the default data source for every Grafana organization points to a data source without permissions set up. External References: https://github.com/grafana/grafana/blob/master/CHANGELOG.md#745-2021-03-18 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-27962 |