SB2021031903 - Multiple vulnerabilities in Grafana

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Improper Privilege Management (CVE-ID: CVE-2021-27962)

The vulnerability allows a remote attacker to escalate privileges within the application.

The vulnerability exists due to improper privilege management. A remote user with Editor privileges can bypass data source permissions on the organization's default data source.

2) Improper access control (CVE-ID: CVE-2021-28146)

The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions. A remote user can bypass implemented security restrictions and add external groups to existing teams.

3) Improper access control (CVE-ID: CVE-2021-28147)

The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions, when editorsCanAdmin  feature is enabled. A remote user can bypass implemented security restrictions and add external group members to existing teams.

4) Improper control of interaction frequency (CVE-ID: CVE-2021-28148)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to absent control of interaction frequency within the HTTP API endpoint for insights usage. A remote non-authenticated attacker send multiple HTTP requests and perform a denial of service (DoS) attack.

Remediation

Install update from vendor's website.

References

• https://grafana.com/blog/2021/03/18/grafana-6.7.6-7.3.10-and-7.4.5-released-with-important-security-fixes-for-grafana-enterprise/