An IDOR (Insecure Direct Object Reference) vulnerability was found on Grafana Teams APIs. This flaw impacts the `/teams/:teamId`, `/teams/:search`, `/teams/:teamId/members` API endpoints and may allow an authenticated attacker to view unintended data by querying for the specific team ID or search for teams and see the total number of available teams (including for those teams where the user does not have access to). GitHub security advisory: https://github.com/grafana/grafana/security/advisories/GHSA-63g3-9jq3-mccv Grafana blog post: https://grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes/
Upstream pull request: https://github.com/grafana/grafana/pull/45083
Created grafana tracking bugs for this issue: Affects: fedora-all [bug 2053455]
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:7519 https://access.redhat.com/errata/RHSA-2022:7519
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2022:8057 https://access.redhat.com/errata/RHSA-2022:8057
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-21713