During an internal security audit we discovered several vulnerabilities affecting the Grafana Enterprise versions from 6.1.0-beta1 to 7.4.4.
A more detailed report can be found on our blog.
Remote Escalation of Privileges vulnerability (CVE-2021-27962)
On the 26th of February during an internal security audit, we discovered that Grafana Enterprise 7.2.0 introduced a mechanism which allows users with the Editor role to bypass data source permissions on an organization’s default data source, if configured.
Grafana Enterprise releases 7.2.0 through 7.4.3 are affected by this vulnerability.
7.3.x and 7.4.x
Remote Access Control Bypass vulnerabilities (CVE-2021-28146, CVE-2021-28147)
On the 10th of March during our internal security audit, we discovered that on Grafana Enterprise instances using an external authentication service, Grafana Enterprise 7.4.0 introduced a mechanism which allows any authenticated user to add external groups to existing teams. We have reserved CVE-2021-28146 for this issue.
As we continued an internal audit, on the 11th of March we discovered that Grafana Enterprise 6.1.0 introduced the same vulnerability as above, but only for Grafana instances which have editorsCanAdmin feature enabled. We have reserved CVE-2021-28147 for this issue.
- Grafana Enterprise 7.4.0-beta1 through 7.4.4 are affected by CVE-2021-28146 vulnerability.
- Grafana Enterprise 6.1.0-beta1 through 7.4.4 are affected by CVE-2021-28147 vulnerability.
6.x, 7.3.x and 7.4.x
Remote Unauthenticated Denial of Service vulnerability (CVE-2021-28148)
On the 11th of March during our internal security audit, we discovered that Grafana Enterprise 6.6.0 introduced a new HTTP API endpoint for usage insights which allows any unauthenticated user to send an unlimited number of requests to the endpoint, leading to a denial of service (DoS) attacks against Grafana Enterprise instances.
Grafana Enterprise 6.6.0-beta1 to 7.4.4
6.x, 7.3.x and 7.4.x
Solutions and mitigations
Download and install the appropriate patch for your version of Grafana Enterprise.
Affected Grafana Cloud instances have been already upgraded to the versions with fix. Grafana Enterprise customers have been provided with updated binaries ahead of this disclosure.