Bug 1938981 (CVE-2021-28148) - CVE-2021-28148 grafana: usage insights API endpoint doesn't limit number of requests which could result in DoS
Summary: CVE-2021-28148 grafana: usage insights API endpoint doesn't limit number of r...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2021-28148
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1938968
TreeView+ depends on / blocked
 
Reported: 2021-03-15 12:03 UTC by Michael Kaplan
Modified: 2023-08-31 23:45 UTC (History)
40 users (show)

Fixed In Version: Grafana Enterprise 7.4.5, Grafana Enterprise 6.7.6
Clone Of:
Environment:
Last Closed: 2021-03-29 11:35:32 UTC
Embargoed:

Attachments (Terms of Use)

Description Michael Kaplan 2021-03-15 12:03:05 UTC 
Grafana Enterprise 6.6.0 introduced a new HTTP API endpoint for usage insights which allows any unauthenticated user to send an unlimited number of requests to the endpoint, leading to a denial of service (DoS) attacks against Grafana Enterprise instances. We have reserved CVE-2021-28148 for this issue. This vulnerability allows users to perform DoS attacks.
Comment 2 Sage McTaggart 2021-03-15 19:15:03 UTC 
Statement:

Red Hat products do not ship Grafana Enterprise version, therefore they are not affected by this vulnerability.
Comment 3 Przemyslaw Roguski 2021-03-18 17:44:50 UTC 
External References:

https://github.com/grafana/grafana/blob/master/CHANGELOG.md#745-2021-03-18
Comment 4 Product Security DevOps Team 2021-03-29 11:35:32 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-28148
Note You need to log in before you can comment on or make changes to this bug.