{
  "threat_severity" : "Important",
  "public_date" : "2021-03-18T13:00:00Z",
  "bugzilla" : {
    "description" : "grafana: Authorization bypass via external groups",
    "id" : "1938975",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1938975"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.8",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
    "status" : "draft"
  },
  "cwe" : "CWE-639",
  "details" : [ "The team sync HTTP API in Grafana Enterprise 7.4.x before 7.4.5 has an Incorrect Access Control issue. On Grafana instances using an external authentication service, this vulnerability allows any authenticated user to add external groups to existing teams. This can be used to grant a user team permissions that the user isn't supposed to have.", "A flaw was found in grafana. Authenticated users are allowed to add external groups to existing teams or to grant a user team-permissions that the user isn't supposed to have. The highest threat from this vulnerability is to data confidentiality." ],
  "statement" : "Red Hat products do not ship Grafana Enterprise version, therefore they are not affected by this vulnerability.",
  "package_state" : [ {
    "product_name" : "OpenShift Service Mesh 1",
    "fix_state" : "Not affected",
    "package_name" : "servicemesh-grafana",
    "cpe" : "cpe:/a:redhat:service_mesh:1"
  }, {
    "product_name" : "OpenShift Service Mesh 2.0",
    "fix_state" : "Not affected",
    "package_name" : "servicemesh-grafana",
    "cpe" : "cpe:/a:redhat:service_mesh:2.0"
  }, {
    "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2",
    "fix_state" : "Not affected",
    "package_name" : "grafana",
    "cpe" : "cpe:/a:redhat:acm:2"
  }, {
    "product_name" : "Red Hat Ceph Storage 2",
    "fix_state" : "Not affected",
    "package_name" : "grafana",
    "cpe" : "cpe:/a:redhat:ceph_storage:2"
  }, {
    "product_name" : "Red Hat Ceph Storage 3",
    "fix_state" : "Not affected",
    "package_name" : "grafana",
    "cpe" : "cpe:/a:redhat:ceph_storage:3"
  }, {
    "product_name" : "Red Hat Ceph Storage 3",
    "fix_state" : "Not affected",
    "package_name" : "grafana-container",
    "cpe" : "cpe:/a:redhat:ceph_storage:3"
  }, {
    "product_name" : "Red Hat Ceph Storage 4",
    "fix_state" : "Not affected",
    "package_name" : "rhceph/rhceph-4-dashboard-rhel8",
    "cpe" : "cpe:/a:redhat:ceph_storage:4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "grafana",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "grafana",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 3.11",
    "fix_state" : "Not affected",
    "package_name" : "openshift3/grafana",
    "cpe" : "cpe:/a:redhat:openshift:3.11"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Not affected",
    "package_name" : "openshift4/ose-grafana",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat Storage 3",
    "fix_state" : "Not affected",
    "package_name" : "grafana",
    "cpe" : "cpe:/a:redhat:storage:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-28146\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-28146\nhttps://github.com/grafana/grafana/blob/master/CHANGELOG.md#745-2021-03-18" ],
  "name" : "CVE-2021-28146",
  "csaw" : false
}