CVE-2021-27962

Description

Grafana Enterprise 7.2.x and 7.3.x before 7.3.10 and 7.4.x before 7.4.5 allows a dashboard editor to bypass a permission check concerning a data source they should not be able to access.

How to fix CVE-2021-27962

To remediate CVE-2021-27962, upgrade the affected package to a fixed version below.

Bitnami/grafana—upgrade to 7.3.10 or later

Is CVE-2021-27962 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 7.2.0, < 7.3.10, >= 7.4.0, < 7.4.5

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.1	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

References (7)

WEBcommunity.grafana.com
WEBcommunity.grafana.com/t/grafana-enterprise-6-7-6-7-3-10-and-7-4-5-security-update/44724
WEBcommunity.grafana.com/t/release-notes-v6-7-x/27119
WEBgrafana.com/blog/2021/03/18/grafana-6.7.6-7.3.10-and-7.4.5-released-with-important-security-fixes-for-grafana-enterprise/