Security Advisory

CVE-2021-28146

CVE vulnerability detail — eXtreme Datacenter Security Operations

Published 2021-03-22 14:00:36

Last updated 2024-08-03 21:33:17

Assigner mitre

State PUBLISHED

Description

The team sync HTTP API in Grafana Enterprise 7.4.x before 7.4.5 has an Incorrect Access Control issue. On Grafana instances using an external authentication service, this vulnerability allows any authenticated user to add external groups to existing teams. This can be used to grant a user team permissions that the user isnt supposed to have.

← Browse all CVEs View on cve.org ↗