Incorrect authorization in Grafana - CVE-2021-41244

 

Incorrect authorization in Grafana - CVE-2021-41244

Published: June 16, 2022 / Updated: June 16, 2022


Vulnerability identifier: #VU64430
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:U/U:Green
CVE-ID: CVE-2021-41244
CWE-ID: CWE-863
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Grafana Labs
Affected software:
Grafana

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary code on the target system.

The vulnerability exists due to improper access control in fine-grained access control feature. A remote user with an admin role in one organization can list, add, remove, and update users’ roles in other organizations in which he is not an admin.


How to mitigate CVE-2021-41244

Install updates from vendor's website.

Sources