2024730 – (CVE-2021-41244) CVE-2021-41244 grafana: Incorrect access control in fine-grained access control feature

Bug 2024730 (CVE-2021-41244) - CVE-2021-41244 grafana: Incorrect access control in fine-grained access control feature

Summary: CVE-2021-41244 grafana: Incorrect access control in fine-grained access contr...

Keywords:
Status:	CLOSED WONTFIX
Alias:	CVE-2021-41244
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2024732
TreeView+	depends on / blocked

Reported:	2021-11-18 19:08 UTC by Pedro Sampaio
Modified:	2023-09-01 01:39 UTC (History)
CC List:	36 users (show)
Fixed In Version:	grafana 8.2.4
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in grafana. When the fine-grained access control feature is enabled, and there is more than one organization in the Grafana instance, users with admin role in one organization can list, add, remove, and update users’ roles in other organizations in which they are not an admin.
Clone Of:
Environment:
Last Closed:	2021-12-02 20:39:35 UTC
Embargoed:

Attachments	(Terms of Use)

Description Pedro Sampaio 2021-11-18 19:08:25 UTC

It was discovered that when the fine-grained access control beta feature is enabled and there is more than one organization in the Grafana instance, Grafana 8.0 introduced a mechanism which allowed users with the Organization Admin role to list, add, remove, and update users’ roles in other organizations in which they are not an admin. 

References:

https://github.com/grafana/grafana/security/advisories/GHSA-mpwp-42x6-4wmx
https://grafana.com/blog/2021/11/15/grafana-8.2.4-released-with-security-fixes/
http://www.openwall.com/lists/oss-security/2021/11/15/1

Comment 1 Hardik Vyas 2021-11-22 06:37:21 UTC

Upstream fix:

https://github.com/grafana/grafana/commit/5fb0bd30e88e8c9211c42c94539c5297e3629d36

Comment 2 Product Security DevOps Team 2021-12-02 20:39:32 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-41244

Note You need to log in before you can comment on or make changes to this bug.

agerstmayr
amctagga
amuller
anharris
anpicker
aos-bugs
bmontgom
bniver
eparis
erooth
flucifre
gghezzo
gmeno
gparvin
grafana-maint
hvyas
jburrell
jkurik
jokerman
jramanat
jwendell
mbenjamin
mgoodwin
mhackett
nathans
nstielau
pahickey
puebele
rcernich
sostapov
spasquie
sponnaga
stcannon
twalsh
vereddy
vkumar