Arch Linux alert ASA-202111-6 (grafana)
| From: | Jonas Witschel via arch-security <arch-security@lists.archlinux.org> | |
| To: | arch-security@lists.archlinux.org | |
| Subject: | [ASA-202111-6] grafana: access restriction bypass | |
| Date: | Fri, 19 Nov 2021 10:45:33 +0100 | |
| Message-ID: | <20211119094533.27qiq3roqwmeajlj@archlinux.org> | |
| Cc: | Jonas Witschel <diabonas@archlinux.org> |
Arch Linux Security Advisory ASA-202111-6 ========================================= Severity: Medium Date : 2021-11-18 CVE-ID : CVE-2021-41244 Package : grafana Type : access restriction bypass Remote : Yes Link : https://security.archlinux.org/AVG-2559 Summary ======= The package grafana before version 8.2.4-1 is vulnerable to access restriction bypass. Resolution ========== Upgrade to 8.2.4-1. # pacman -Syu "grafana>=8.2.4-1" The problem has been fixed upstream in version 8.2.4. Workaround ========== The issue can be mitigated by turning off the fine-grained access control using a feature flag. Description =========== A security issue has been found in Grafana 8.0 before version 8.2.4. When the fine-grained access control beta feature is enabled and there is more than one organization in the Grafana instance, users with the Organization Admin role can list, add, remove, and update users’ roles in other organizations in which they are not an admin. Impact ====== An authenticated remote attacker could change user roles in organizations in which they are not an admin. References ========== https://github.com/grafana/grafana/security/advisories/GH... https://github.com/grafana/grafana/commit/5fb0bd30e88e8c9... https://security.archlinux.org/CVE-2021-41244