Incorrect authorization in Grafana - CVE-2021-41244
Published: June 16, 2022 / Updated: June 16, 2022
Grafana
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to improper access control in fine-grained access control feature. A remote user with an admin role in one organization can list, add, remove, and update users’ roles in other organizations in which he is not an admin.
How to mitigate CVE-2021-41244
Sources
- https://grafana.com/blog/2021/11/15/grafana-8.2.4-released-with-security-fixes/
- https://github.com/grafana/grafana/security/advisories/GHSA-mpwp-42x6-4wmx
- http://www.openwall.com/lists/oss-security/2021/11/15/1
- https://security.netapp.com/advisory/ntap-20211223-0001/
- https://bugzilla.redhat.com/show_bug.cgi?id=2024730