CalvinBackup/CVEs-PoC
1
0
Fork 0
mirror of https://github.com/0xMarcio/cve.git synced 2026-05-27 06:12:23 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
efebdd4f2d72a3494ec92163e9e88e00a3646b8a
CVEs-PoC/2021/CVE-2021-28147.md
T
0xMarcio cb00e1339f Update CVE list 2025-09-29 21:09
2025-09-29 21:09:30 +02:00

19 lines
1.0 KiB
Markdown
Raw Blame History

### [CVE-2021-28147](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28147)
![](https://img.shields.io/static/v1?label=Product&message=n%2Fa&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=n%2Fa%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=n%2Fa&color=brightgreen)
### Description
The team sync HTTP API in Grafana Enterprise 6.x before 6.7.6, 7.x before 7.3.10, and 7.4.x before 7.4.5 has an Incorrect Access Control issue. On Grafana instances using an external authentication service and having the EditorsCanAdmin feature enabled, this vulnerability allows any authenticated user to add external groups to any existing team. This can be used to grant a user team permissions that the user isn't supposed to have.
### POC
#### Reference
- https://community.grafana.com/t/grafana-enterprise-6-7-6-7-3-10-and-7-4-5-security-update/44724
- https://community.grafana.com/t/release-notes-v6-7-x/27119
#### Github
No PoCs found on GitHub currently.
Reference in New Issue View Git Blame Copy Permalink