Severity |
|
Remote |
|
Type |
- |
Unknown |
+ |
Access restriction bypass |
|
Description |
+ |
A security issue has been found in Grafana 8.0 before version 8.2.4. When the fine-grained access control beta feature is enabled and there is more than one organization in the Grafana instance, users with the Organization Admin role can list, add, remove, and update users’ roles in other organizations in which they are not an admin. |
|
References |
+ |
https://github.com/grafana/grafana/security/advisories/GHSA-mpwp-42x6-4wmx |
+ |
https://github.com/grafana/grafana/commit/5fb0bd30e88e8c9211c42c94539c5297e3629d36 |
|
Notes |
+ |
Workaround |
+ |
========== |
+ |
|
+ |
If you cannot upgrade, you should turn off the fine-grained access control using a feature flag. |
|