It was discovered that when the fine-grained access control beta feature is enabled and there is more than one organization in the Grafana instance, Grafana 8.0 introduced a mechanism which allowed users with the Organization Admin role to list, add, remove, and update users’ roles in other organizations in which they are not an admin. References: https://github.com/grafana/grafana/security/advisories/GHSA-mpwp-42x6-4wmx https://grafana.com/blog/2021/11/15/grafana-8.2.4-released-with-security-fixes/ http://www.openwall.com/lists/oss-security/2021/11/15/1
Upstream fix: https://github.com/grafana/grafana/commit/5fb0bd30e88e8c9211c42c94539c5297e3629d36
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-41244