CVE-2021-41244 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	Medium
Remote	Yes
Type	Access restriction bypass
Description	A security issue has been found in Grafana 8.0 before version 8.2.4. When the fine-grained access control beta feature is enabled and there is more than one organization in the Grafana instance, users with the Organization Admin role can list, add, remove, and update users’ roles in other organizations in which they are not an admin.

Group	Package	Affected	Fixed	Severity	Status	Ticket
AVG-2559	grafana	8.2.3-1	8.2.4-1	Medium	Fixed

Date	Advisory	Group	Package	Severity	Type
18 Nov 2021	ASA-202111-6	AVG-2559	grafana	Medium	access restriction bypass

References
https://github.com/grafana/grafana/security/advisories/GHSA-mpwp-42x6-4wmx https://github.com/grafana/grafana/commit/5fb0bd30e88e8c9211c42c94539c5297e3629d36

Notes
Workaround ========== If you cannot upgrade, you should turn off the fine-grained access control using a feature flag.