Grafana API IDOR

Today we are releasing Grafana 8.3.5 and 7.5.14. This patch release includes MEDIUM severity security fix for Grafana Teams API IDOR. Release v.8.3.5, only containing security fixes: Download Grafana 8.3.5 Release notes Release v.7.5.15, only containing security fixes: Download Grafana 7.5.15 Release notes Teams API IDOR(CVE-2022-21713) On Jan. 18, an external security researcher, Kürşad ALSAN from NSPECT.IO (@nspectio on Twitter), contacted Grafana to disclose an IDOR (Insecure Direct Object Reference) vulnerability on Grafana Teams APIs. We believe that this vulnerability is rated at CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N). Impact This vulnerability only impacts the following API endpoints: /teams/:teamId – an authenticated attacker can view unintended data by querying for the specific team ID. /teams/:search – an authenticated attacker can search for teams and see the total number of available teams, including for those teams that the user does not have access to. /teams/:teamId/members – when editors_can_admin flag is enabled, an authenticated attacker can see unintended data by querying for the specific team ID. Affected versions with MEDIUM severity All Grafana >=5.0.0-beta1 versions are affected by this vulnerability. Solutions and mitigations All installations after Grafana v5.0.0-beta1 should be upgraded as soon as possible. Appropriate patches have been applied to Grafana Cloud and as always, we closely coordinated with all cloud providers…Read More