CVE-2021-41244Externally Controlled Reference to a Resource in Another Sphere in Grafana Grafana

CWE-610Externally Controlled Reference to a Resource in Another SphereCWE-863Incorrect Authorization6 documents5 sources
Severity
7.2HIGHNVD
CNA9.1
EPSS
0.5%
top 34.59%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Github.com Grafana GrafanaGrafana
Timeline
PublishedNov 15
Latest updateMay 14

Description

Grafana is an open-source platform for monitoring and observability. In affected versions when the fine-grained access control beta feature is enabled and there is more than one organization in the Grafana instance admins are able to access users from other organizations. Grafana 8.0 introduced a mechanism which allowed users with the Organization Admin role to list, add, remove, and update users’ roles in other organizations in which they are not an admin. With fine-grained access control enabl

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages3 packages

NVDgrafana/grafana8.0.08.2.4
Gogithub.com/grafana_grafana8.0.08.2.4
CVEListV5grafana/grafana>= 8.0.0, < 8.2.4

🔴Vulnerability Details

4
OSV
Grafana Fine-grained access control vulnerability2024-05-14
GHSA
Grafana Fine-grained access control vulnerability2024-05-14
CVEList
Cross organization admin control in Grafana2021-11-15
OSV
CVE-2021-41244: Grafana is an open-source platform for monitoring and observability2021-11-15

📋Vendor Advisories

1
Red Hat
grafana: Incorrect access control in fine-grained access control feature2021-11-15
CVE-2021-41244 — Grafana Grafana vulnerability | cvebase