Bug 2024730 (CVE-2021-41244) - CVE-2021-41244 grafana: Incorrect access control in fine-grained access control feature
Summary: CVE-2021-41244 grafana: Incorrect access control in fine-grained access contr...
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2021-41244
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2024732
TreeView+ depends on / blocked
 
Reported: 2021-11-18 19:08 UTC by Pedro Sampaio
Modified: 2023-09-01 01:39 UTC (History)
36 users (show)

Fixed In Version: grafana 8.2.4
Clone Of:
Environment:
Last Closed: 2021-12-02 20:39:35 UTC
Embargoed:

Attachments (Terms of Use)

Description Pedro Sampaio 2021-11-18 19:08:25 UTC 
It was discovered that when the fine-grained access control beta feature is enabled and there is more than one organization in the Grafana instance, Grafana 8.0 introduced a mechanism which allowed users with the Organization Admin role to list, add, remove, and update users’ roles in other organizations in which they are not an admin. 

References:

https://github.com/grafana/grafana/security/advisories/GHSA-mpwp-42x6-4wmx
https://grafana.com/blog/2021/11/15/grafana-8.2.4-released-with-security-fixes/
http://www.openwall.com/lists/oss-security/2021/11/15/1
Comment 1 Hardik Vyas 2021-11-22 06:37:21 UTC 
Upstream fix:

https://github.com/grafana/grafana/commit/5fb0bd30e88e8c9211c42c94539c5297e3629d36
Comment 2 Product Security DevOps Team 2021-12-02 20:39:32 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-41244
Note You need to log in before you can comment on or make changes to this bug.