Grafana is incorrectly assessing permissions to update global roles and role assignments, therefore users with administrator permissions in one organization can change global role permissions and global role assignments. The CVSS score for this vulnerability is 6.7 Medium. Impact If exploited, an attacker who has the Organization Admin role in any organization can elevate their permissions across all organizations, elevate other users’ permissions in all organizations or limit other users’ permissions in all organizations. The vulnerability does not allow the attacker to become a member of an organization that they are not already a member of, or to add any other user to an organization that the attacker is not a member of. Potentially breaking changes and resolution explanation We now require users to be Grafana server administrators in order to update global roles and global role assignments. If you were relying on organization administrators being able to do that, you will now also need to grant Grafana server administrator privileges to them. Impacted versions Grafana 8.0.0 to Grafana 10.0.0 with RBAC enabled, and Grafana 10.0.0 - Grafana 10.1.1. Only Grafana enterprise instances with more than one organization are vulnerable. You can check if RBAC is enabled by calling GET /api/access-control/status.
Avinash, this should be closed as not a bug, I think? but it is fixed in the 7.1 release regardless. (we don't use enterprise grafana)
This issue has been addressed in the following products: Red Hat Ceph Storage 7.1 Via RHSA-2024:3925 https://access.redhat.com/errata/RHSA-2024:3925