CVE-2021-28147

CVE-2021-28147

The team sync HTTP API in Grafana Enterprise 6.x before 6.7.6, 7.x before 7.3.10, and 7.4.x before 7.4.5 has an Incorrect Access Control issue. On Grafana instances using an external authentication service and having the EditorsCanAdmin feature enabled, this vulnerability allows any authenticated user to add external groups to any existing team. This can be used to grant a user team permissions that the user isn’t supposed to have.

Source: CVE-2021-28147

답글 남기기

이메일 주소는 공개되지 않습니다. 필수 필드는 *로 표시됩니다