CVE-2021-41244: Grafana Fine-grained access control vulnerability

May 14, 2024

On Nov. 2, during an internal security audit, we discovered that when the fine-grained access control beta feature is enabled and there is more than one organization in the Grafana instance, Grafana 8.0 introduced a mechanism which allowed users with the Organization Admin role to list, add, remove, and update users’ roles in other organizations in which they are not an admin.

References

github.com/advisories/GHSA-mpwp-42x6-4wmx
github.com/grafana/grafana
github.com/grafana/grafana/security/advisories/GHSA-mpwp-42x6-4wmx
grafana.com/blog/2021/11/15/grafana-8.2.4-released-with-security-fixes
nvd.nist.gov/vuln/detail/CVE-2021-41244
security.netapp.com/advisory/ntap-20211223-0001

Code Behaviors & Features

Detect and mitigate CVE-2021-41244 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →