CVE-2021-28148

Sažetak

One of the usage insights HTTP API endpoints in Grafana Enterprise 6.x before 6.7.6, 7.x before 7.3.10, and 7.4.x before 7.4.5 is accessible without any authentication. This allows any unauthenticated user to send an unlimited number of requests to the endpoint, leading to a denial of service (DoS) attack against a Grafana Enterprise instance.

Reference

https://community.grafana.com/t/release-notes-v6-7-x/27119
https://grafana.com/products/enterprise/
https://www.openwall.com/lists/oss-security/2021/03/19/5
https://community.grafana.com/t/grafana-enterprise-6-7-6-7-3-10-and-7-4-5-security-update/44724
https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-3-10/
https://grafana.com/blog/2021/03/18/grafana-6.7.6-7.3.10-and-7.4.5-released-with-important-security-fixes-for-grafana-enterprise/
https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-4-5/
https://security.netapp.com/advisory/ntap-20210430-0005/

CVSS

Base:	5.0
Impact:	2.9
Exploitability:	10.0

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
NONE	NONE	PARTIAL

CVSS vektor

AV:N/AC:L/Au:N/C:N/I:N/A:P

Zadnje važnije ažuriranje

12-07-2022 - 17:42

Objavljeno

22-03-2021 - 15:15