#VU64430 Incorrect authorization in Grafana - CVE-2021-41244
Published: June 16, 2022 / Updated: June 16, 2022
Vulnerability identifier: #VU64430
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:U/U:Green
CVE-ID: CVE-2021-41244
CWE-ID: CWE-863
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Grafana
Grafana
Software vendor:
Grafana Labs
Grafana Labs
Description
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to improper access control in fine-grained access control feature. A remote user with an admin role in one organization can list, add, remove, and update users’ roles in other organizations in which he is not an admin.
Remediation
Install updates from vendor's website.
External links
- https://grafana.com/blog/2021/11/15/grafana-8.2.4-released-with-security-fixes/
- https://github.com/grafana/grafana/security/advisories/GHSA-mpwp-42x6-4wmx
- http://www.openwall.com/lists/oss-security/2021/11/15/1
- https://security.netapp.com/advisory/ntap-20211223-0001/
- https://bugzilla.redhat.com/show_bug.cgi?id=2024730