Home > Vulnerability Database > CVE-2021-28146

Mend.io Vulnerability Database

CVE-2021-28146

Date: March 22, 2021

The team sync HTTP API in Grafana Enterprise 7.4.x before 7.4.5 has an Incorrect Access Control issue. On Grafana instances using an external authentication service, this vulnerability allows any authenticated user to add external groups to existing teams. This can be used to grant a user team permissions that the user isn't supposed to have.

Severity Score

6.1

Related Resources (10)

Url: https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-3-10/

Url: https://nvd.nist.gov/vuln/detail/CVE-2021-28146

Url: https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-4-5/

Url: https://community.grafana.com/t/grafana-enterprise-6-7-6-7-3-10-and-7-4-5-security-update/44724

Url: https://community.grafana.com/t/release-notes-v6-7-x/27119

Url: https://grafana.com/products/enterprise/

Url: https://security.alpinelinux.org/vuln/CVE-2021-28146

Url: https://www.openwall.com/lists/oss-security/2021/03/19/5

Url: https://grafana.com/blog/2021/03/18/grafana-6.7.6-7.3.10-and-7.4.5-released-with-important-security-fixes-for-grafana-enterprise/

Url: https://www.mend.io/vulnerability-database/CVE-2021-28146

Severity Score

6.1

Weakness Type (CWE)

Incorrect Authorization

CWE-863

CVSS v3.1

Base Score:	6.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

CVSS v2

Base Score:	4.3
Access Vector (AV):	NETWORK
Access Complexity (AC):	MEDIUM
Authentication (AU):	NONE
Confidentiality (C):	NONE
Integrity (I):	PARTIAL
Availability (A):	NONE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2021-28146

Date: March 22, 2021

Severity Score

Related Resources (10)

Severity Score

Weakness Type (CWE)

CVSS v3.1

CVSS v2

Do you need more information?