#VU64430 Incorrect authorization in Grafana - CVE-2021-41244

Cybersecurity Help s.r.o.

Published: 2022-06-16 | Updated: 2022-06-16

Vulnerability identifier: #VU64430

Vulnerability risk: Medium

CVSSv4.0: 2.5 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:U/U:Green]

CVE-ID: CVE-2021-41244

CWE-ID: CWE-863

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Grafana
Web applications / Other software

Vendor: Grafana Labs

Description

The vulnerability allows a remote user to execute arbitrary code on the target system.

The vulnerability exists due to improper access control in fine-grained access control feature. A remote user with an admin role in one organization can list, add, remove, and update users’ roles in other organizations in which he is not an admin.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Grafana: 8.0.0 - 8.0.6, 8.1.0 - 8.1.7, 8.2.0 - 8.2.3

External links
https://grafana.com/blog/2021/11/15/grafana-8.2.4-released-with-security-fixes/
https://github.com/grafana/grafana/security/advisories/GHSA-mpwp-42x6-4wmx
https://www.openwall.com/lists/oss-security/2021/11/15/1
https://security.netapp.com/advisory/ntap-20211223-0001/
https://bugzilla.redhat.com/show_bug.cgi?id=2024730

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Watson Machine Learning Accelerator on Cloud Pak for Data

SUSE update for Security Beta update for SUSE Manager Client Tools

SUSE update for Security Beta update for SUSE Manager Client Tools and Salt

SUSE update for grafana

SUSE update for SUSE Manager Client Tools

Arch Linux update for grafana

Incorrect authorization in Grafana