Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 15 Nov 2021 18:01:27 +0100
From: Vardan Torosyan <vardan.torosyan@...fana.com>
To: oss-security@...ts.openwall.com
Subject: Grafana 8.2.4 released with security fixes

Dear all,

We have released Grafana 8.2.4 with security fixes This patch release
includes security fixes that affect Grafana versions 8.0.0 through 8.2.3.

The vulnerability only affects Grafana instances where fine-grained access
control beta is enabled, and there is more than one organization in the
Grafana instance. Grafana Cloud instances have not been affected by the
vulnerability.

*Incorrect Access Control (CVE-2021-41244)*

On Nov. 2, during an internal security audit, we discovered that when the
fine-grained access control beta feature is enabled and there is more than
one organization in the Grafana instance, Grafana 8.0 introduced a
mechanism which allowed users with the Organization Admin role to list,
add, remove, and update users’ roles in other organizations in which they
are not an admin.

Affected versions with high severity

Grafana 8.0 to 8.2.3


*Solutions and mitigations*
All installations between v8.0 and v8.2.3 that have fine-grained access
control beta enabled and more than one organization should be upgraded as
soon as possible. If you cannot upgrade, you should turn off the
fine-grained access control using a feature flag.


*Patched versions*
Release v8.2.4, only containing a security fix:

* Download Grafana 8.2.4 - https://grafana.com/grafana/download/8.2.4
* Release notes -
https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-2-4/

Further information can be found at
https://grafana.com/blog/2021/11/15/grafana-8.2.4-released-with-security-fixes/

Best Regards,
Vardan Torosyan

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.