Bug 2050743 (CVE-2022-21713)
Summary: | CVE-2022-21713 grafana: IDOR vulnerability can lead to information disclosure | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Mauro Matteo Cascella <mcascell> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | agerstmayr, amackenz, amasferr, amctagga, anharris, anpicker, avibelli, bgeorges, bmontgom, bniver, chazlett, clement.escoffier, dandread, dkreling, drieden, eparis, flucifre, gmeno, gparvin, grafana-maint, gsmet, hamadhan, hvyas, jburrell, jkurik, jochrist, jokerman, jramanat, jwendell, jwon, lthon, mbenjamin, mhackett, mkudlej, nathans, njean, nstielau, pahickey, peholase, pgallagh, pjindal, probinso, rcernich, rdey, rruss, rsvoboda, sbiarozk, sdouglas, security-response-team, sostapov, spasquie, sponnaga, stcannon, tjochec, twalsh, vereddy, vkumar |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | grafana 7.5.15, grafana 8.3.5 | Doc Type: | If docs needed, set a value |
Doc Text: |
An Insecure Direct Object Reference (IDOR) vulnerability was found on Grafana Teams APIs. This flaw impacts the `/teams/:teamId`, `/teams/:search`, `/teams/:teamId/members` API endpoints and may allow an authenticated attacker to view unintended data by querying for the specific team ID or search for teams and see the total number of available teams (including teams that the user does not have access to).
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2022-12-05 01:03:41 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2052664, 2052665, 2053455, 2053465, 2053466, 2053513, 2053514, 2054040, 2055454, 2055455, 2055456 | ||
Bug Blocks: | 2050646 |
Description
Mauro Matteo Cascella
2022-02-04 14:59:00 UTC
Upstream pull request: https://github.com/grafana/grafana/pull/45083 Created grafana tracking bugs for this issue: Affects: fedora-all [bug 2053455] This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:7519 https://access.redhat.com/errata/RHSA-2022:7519 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2022:8057 https://access.redhat.com/errata/RHSA-2022:8057 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-21713 |