Bug 1938978 (CVE-2021-28147)

Summary: CVE-2021-28147 grafana: Allows to bypass access control restrictions via external groups
Product: [Other] Security Response Reporter: Michael Kaplan <mkaplan>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: agerstmayr, alegrand, amctagga, anharris, anpicker, bmontgom, bniver, eparis, erooth, flucifre, gghezzo, gmeno, gparvin, grafana-maint, hvyas, jburrell, jkurik, jokerman, jramanat, jweiser, jwendell, kakkoyun, kconner, lcosic, mbenjamin, mgoodwin, mhackett, nathans, nstielau, pkrupa, puebele, rcernich, security-response-team, sostapov, sponnaga, stcannon, surbania, thee, twalsh, vereddy
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Grafana Enterprise 7.4.5, Grafana Enterprise 6.7.6 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Grafana Enterprise. An authenticated user can add an external group to an existing team when the editorsCanAdmin feature is enabled. The highest threat from this vulnerability is to data confidentiality.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-03-29 11:35:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1938968    

Description Michael Kaplan 2021-03-15 11:59:19 UTC 
On Grafana instances using an external authentication service and having the editorsCanAdmin feature enabled, Grafana Enterprise 6.1.0 introduced a mechanism which allows any authenticated user to add external groups to any existing team, without having to be an Admin of the team. This can be used to grant a user team permissions that the user isn’t supposed to have. This vulnerability allows users to bypass access control restrictions.

The vulnerability can only be triggered if you have defined at least one team in Grafana, even if that team is unused.
Comment 2 Sage McTaggart 2021-03-15 19:15:10 UTC 
Statement:

Red Hat products do not ship Grafana Enterprise version, therefore they are not affected by this vulnerability.
Comment 3 Przemyslaw Roguski 2021-03-18 17:44:43 UTC 
External References:

https://github.com/grafana/grafana/blob/master/CHANGELOG.md#745-2021-03-18
Comment 4 Product Security DevOps Team 2021-03-29 11:35:26 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-28147