ASA-202111-6 log original external raw

[ASA-202111-6] grafana: access restriction bypass
Arch Linux Security Advisory ASA-202111-6 ========================================= Severity: Medium Date : 2021-11-18 CVE-ID : CVE-2021-41244 Package : grafana Type : access restriction bypass Remote : Yes Link : https://security.archlinux.org/AVG-2559 Summary ======= The package grafana before version 8.2.4-1 is vulnerable to access restriction bypass. Resolution ========== Upgrade to 8.2.4-1. # pacman -Syu "grafana>=8.2.4-1" The problem has been fixed upstream in version 8.2.4. Workaround ========== The issue can be mitigated by turning off the fine-grained access control using a feature flag. Description =========== A security issue has been found in Grafana 8.0 before version 8.2.4. When the fine-grained access control beta feature is enabled and there is more than one organization in the Grafana instance, users with the Organization Admin role can list, add, remove, and update users’ roles in other organizations in which they are not an admin. Impact ====== An authenticated remote attacker could change user roles in organizations in which they are not an admin. References ========== https://github.com/grafana/grafana/security/advisories/GHSA-mpwp-42x6-4wmx https://github.com/grafana/grafana/commit/5fb0bd30e88e8c9211c42c94539c5297e3629d36 https://security.archlinux.org/CVE-2021-41244