CVE-2021-41244 - log back

CVE-2021-41244 edited at 18 Nov 2021 10:54:07
Severity
- Critical
+ Medium
CVE-2021-41244 edited at 15 Nov 2021 18:58:15
Severity
- Unknown
+ Critical
Remote
- Unknown
+ Remote
Type
- Unknown
+ Access restriction bypass
Description
+ A security issue has been found in Grafana 8.0 before version 8.2.4. When the fine-grained access control beta feature is enabled and there is more than one organization in the Grafana instance, users with the Organization Admin role can list, add, remove, and update users’ roles in other organizations in which they are not an admin.
References
+ https://github.com/grafana/grafana/security/advisories/GHSA-mpwp-42x6-4wmx
+ https://github.com/grafana/grafana/commit/5fb0bd30e88e8c9211c42c94539c5297e3629d36
Notes
+ Workaround
+ ==========
+
+ If you cannot upgrade, you should turn off the fine-grained access control using a feature flag.
CVE-2021-41244 created at 15 Nov 2021 18:53:25