#VU64430 Incorrect authorization in Grafana


Published: 2022-06-16 | Updated: 2022-06-16

Vulnerability identifier: #VU64430

Vulnerability risk: Medium

CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-41244

CWE-ID: CWE-863

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Grafana
Web applications / Other software

Vendor: Grafana Labs

Description

The vulnerability allows a remote user to execute arbitrary code on the target system.

The vulnerability exists due to improper access control in fine-grained access control feature. A remote user with an admin role in one organization can list, add, remove, and update users’ roles in other organizations in which he is not an admin.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Grafana: 8.2.0 - 8.2.3, 8.1.0 - 8.1.7, 8.0.0 - 8.0.6

External links
http://grafana.com/blog/2021/11/15/grafana-8.2.4-released-with-security-fixes/
http://github.com/grafana/grafana/security/advisories/GHSA-mpwp-42x6-4wmx
http://www.openwall.com/lists/oss-security/2021/11/15/1
http://security.netapp.com/advisory/ntap-20211223-0001/
http://bugzilla.redhat.com/show_bug.cgi?id=2024730

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM Watson Machine Learning Accelerator on Cloud Pak for Data
SUSE update for Security Beta update for SUSE Manager Client Tools
SUSE update for Security Beta update for SUSE Manager Client Tools and Salt
SUSE update for grafana
SUSE update for SUSE Manager Client Tools
SUSE update for SUSE Manager Client Tools
Arch Linux update for grafana
Incorrect authorization in Grafana