1. Home
  2. Security Advisories
  3. FreeBSD
  4. FREEBSD:D71D154A-8B83-11EC-B369-6C3BE5272ACD

[FREEBSD:D71D154A-8B83-11EC-B369-6C3BE5272ACD] Grafana -- Teams API IDOR

Severity Medium
Affected Packages 3
CVEs 1
Info Packages References Vulnerabilities

Grafana Labs reports:

  On Jan. 18, an external security researcher, Kürşad ALSAN from NSPECT.IO (@nspectio on Twitter), contacted Grafana to disclose an IDOR (Insecure Direct Object Reference) vulnerability on Grafana Teams APIs. This vulnerability only impacts the following API endpoints:

    /teams/:teamId - an authenticated attacker can view unintended data by querying for the specific team ID.
    /teams/:search - an authenticated attacker can search for teams and see the total number of available teams, including for those teams that the user does not have access to.
    /teams/:teamId/members - when editors_can_admin flag is enabled, an authenticated attacker can see unintended data by querying for the specific team ID.

  We believe that this vulnerability is rated at CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).
Package Affected Version
pkg:freebsd/grafana8 < 8.3.5
pkg:freebsd/grafana7 < 7.5.15
pkg:freebsd/grafana6
ID
FREEBSD:D71D154A-8B83-11EC-B369-6C3BE5272ACD
Severity
medium
Severity from
CVE-2022-21713
URL
http://vuxml.freebsd.org/freebsd/d71d154a-8b83-11ec-b369-6c3be5272acd.html
Published
2022-01-18T00:00:00
(2 years ago)
Modified
2022-02-12T00:00:00
(2 years ago)
Rights
FreeBSD VuXML Security Team
Other Advisories
Type Package URL Namespace Name / Product Version Distribution / Platform Arch Patch / Fix
Affected pkg:freebsd/grafana8 grafana8 < 8.3.5
Affected pkg:freebsd/grafana7 grafana7 < 7.5.15
Affected pkg:freebsd/grafana6 grafana6
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date