1937278 – (CVE-2021-27962) CVE-2021-27962 grafana: users with editor role allows to bypass data source permissions

Bug 1937278 (CVE-2021-27962) - CVE-2021-27962 grafana: users with editor role allows to bypass data source permissions

Summary: CVE-2021-27962 grafana: users with editor role allows to bypass data source p...

Keywords:
Status:	CLOSED WONTFIX
Alias:	CVE-2021-27962
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1937242
TreeView+	depends on / blocked

Reported:	2021-03-10 09:19 UTC by msiddiqu
Modified:	2023-08-31 23:41 UTC (History)
CC List:	41 users (show)
Fixed In Version:	Grafana Enterprise 7.4.5
Clone Of:
Environment:
Last Closed:	2021-03-18 19:51:44 UTC
Embargoed:

Attachments	(Terms of Use)

Description msiddiqu 2021-03-10 09:19:43 UTC

Grafana Enterprise 7.2.0 introduced a mechanism which allowed users with the Editor role to bypass data source permissions for the organization’s default data source.

Comment 1 Jan Kurik 2021-03-10 10:27:18 UTC

Side note:
* Released RHEL-8.3 contains grafana-6.7.4
* Not yet release RHEL-8.4 contains grafana-7.3.6

Comment 2 Jan Kurik 2021-03-10 10:30:56 UTC

Taus, can you please share more info, so we can start working on a reproducer and a fix ?

Comment 5 msiddiqu 2021-03-10 13:32:38 UTC

(In reply to Jan Kurik from comment #2)
> Taus, can you please share more info, so we can start working on a
> reproducer and a fix ?

Jan, Are you asking about RHEL specifically? Platforms Analysis team will create trackers if needed and they may add more information there.

Comment 6 Jan Kurik 2021-03-10 14:19:32 UTC

Yes, I was asking about grafana in RHEL.
I will wait for the info from Platforms Analysis team. Thanks for the info.

Comment 9 Przemyslaw Roguski 2021-03-11 11:46:04 UTC

Statement:

Red Hat products do not ship Grafana Enterprise version, therefore are not affected by this vulnerability.

Comment 10 Przemyslaw Roguski 2021-03-11 11:46:11 UTC

Mitigation:

If you are using the Enterprise version of Grafana, you can mitigate this vulnerability by making sure that the default data source for every Grafana organization points to a data source without permissions set up.

Comment 11 Przemyslaw Roguski 2021-03-18 17:44:14 UTC

External References:

https://github.com/grafana/grafana/blob/master/CHANGELOG.md#745-2021-03-18

Comment 12 Product Security DevOps Team 2021-03-18 19:51:44 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-27962

Note You need to log in before you can comment on or make changes to this bug.

agerstmayr
alegrand
amctagga
anharris
anpicker
bmontgom
bniver
eparis
erooth
flucifre
gghezzo
gmeno
gparvin
grafana-maint
hvyas
jburrell
jkurik
jokerman
jramanat
jweiser
jwendell
kakkoyun
kconner
lcosic
mbenjamin
mgoodwin
mhackett
nathans
nstielau
pkrupa
proguski
puebele
rcernich
security-response-team
sostapov
sponnaga
stcannon
surbania
thee
twalsh
vereddy