Date: Mon, 15 Nov 2021 18:01:27 +0100 From: Vardan Torosyan <vardan.torosyan@...fana.com> To: oss-security@...ts.openwall.com Subject: Grafana 8.2.4 released with security fixes Dear all, We have released Grafana 8.2.4 with security fixes This patch release includes security fixes that affect Grafana versions 8.0.0 through 8.2.3. The vulnerability only affects Grafana instances where fine-grained access control beta is enabled, and there is more than one organization in the Grafana instance. Grafana Cloud instances have not been affected by the vulnerability. *Incorrect Access Control (CVE-2021-41244)* On Nov. 2, during an internal security audit, we discovered that when the fine-grained access control beta feature is enabled and there is more than one organization in the Grafana instance, Grafana 8.0 introduced a mechanism which allowed users with the Organization Admin role to list, add, remove, and update users’ roles in other organizations in which they are not an admin. Affected versions with high severity Grafana 8.0 to 8.2.3 *Solutions and mitigations* All installations between v8.0 and v8.2.3 that have fine-grained access control beta enabled and more than one organization should be upgraded as soon as possible. If you cannot upgrade, you should turn off the fine-grained access control using a feature flag. *Patched versions* Release v8.2.4, only containing a security fix: * Download Grafana 8.2.4 - https://grafana.com/grafana/download/8.2.4 * Release notes - https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-2-4/ Further information can be found at https://grafana.com/blog/2021/11/15/grafana-8.2.4-released-with-security-fixes/ Best Regards, Vardan Torosyan
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.