1938981 – (CVE-2021-28148) CVE-2021-28148 grafana: usage insights API endpoint doesn't limit number of requests which could result in DoS

Bug 1938981 (CVE-2021-28148) - CVE-2021-28148 grafana: usage insights API endpoint doesn't limit number of requests which could result in DoS

Summary: CVE-2021-28148 grafana: usage insights API endpoint doesn't limit number of r...

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2021-28148
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1938968
TreeView+	depends on / blocked

Reported:	2021-03-15 12:03 UTC by Michael Kaplan
Modified:	2023-08-31 23:45 UTC (History)
CC List:	40 users (show)
Fixed In Version:	Grafana Enterprise 7.4.5, Grafana Enterprise 6.7.6
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in Grafana Enterprise. The HTTP API endpoint for usage insights can be used by any unauthenticated user to send an unlimited number of requests to that endpoint, leading to a denial of service (DoS). The highest threat from this vulnerability is to system availability.
Clone Of:
Environment:
Last Closed:	2021-03-29 11:35:32 UTC
Embargoed:

Attachments	(Terms of Use)

Description Michael Kaplan 2021-03-15 12:03:05 UTC

Grafana Enterprise 6.6.0 introduced a new HTTP API endpoint for usage insights which allows any unauthenticated user to send an unlimited number of requests to the endpoint, leading to a denial of service (DoS) attacks against Grafana Enterprise instances. We have reserved CVE-2021-28148 for this issue. This vulnerability allows users to perform DoS attacks.

Comment 2 Sage McTaggart 2021-03-15 19:15:03 UTC

Statement:

Red Hat products do not ship Grafana Enterprise version, therefore they are not affected by this vulnerability.

Comment 3 Przemyslaw Roguski 2021-03-18 17:44:50 UTC

External References:

https://github.com/grafana/grafana/blob/master/CHANGELOG.md#745-2021-03-18

Comment 4 Product Security DevOps Team 2021-03-29 11:35:32 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-28148

Note You need to log in before you can comment on or make changes to this bug.

agerstmayr
alegrand
amctagga
anharris
anpicker
bmontgom
bniver
eparis
erooth
flucifre
gghezzo
gmeno
gparvin
grafana-maint
hvyas
jburrell
jkurik
jokerman
jramanat
jweiser
jwendell
kakkoyun
kconner
lcosic
mbenjamin
mgoodwin
mhackett
nathans
nstielau
pkrupa
puebele
rcernich
security-response-team
sostapov
sponnaga
stcannon
surbania
thee
twalsh
vereddy