Bug 1938978 (CVE-2021-28147)
Summary: | CVE-2021-28147 grafana: Allows to bypass access control restrictions via external groups | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Michael Kaplan <mkaplan> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED NOTABUG | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | agerstmayr, alegrand, amctagga, anharris, anpicker, bmontgom, bniver, eparis, erooth, flucifre, gghezzo, gmeno, gparvin, grafana-maint, hvyas, jburrell, jkurik, jokerman, jramanat, jweiser, jwendell, kakkoyun, kconner, lcosic, mbenjamin, mgoodwin, mhackett, nathans, nstielau, pkrupa, puebele, rcernich, security-response-team, sostapov, sponnaga, stcannon, surbania, thee, twalsh, vereddy |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Grafana Enterprise 7.4.5, Grafana Enterprise 6.7.6 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in Grafana Enterprise. An authenticated user can add an external group to an existing team when the editorsCanAdmin feature is enabled. The highest threat from this vulnerability is to data confidentiality.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-03-29 11:35:26 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1938968 |
Description
Michael Kaplan
2021-03-15 11:59:19 UTC
Statement: Red Hat products do not ship Grafana Enterprise version, therefore they are not affected by this vulnerability. External References: https://github.com/grafana/grafana/blob/master/CHANGELOG.md#745-2021-03-18 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-28147 |