CVE-2021-28148

Description

One of the usage insights HTTP API endpoints in Grafana Enterprise 6.x before 6.7.6, 7.x before 7.3.10, and 7.4.x before 7.4.5 is accessible without any authentication. This allows any unauthenticated user to send an unlimited number of requests to the endpoint, leading to a denial of service (DoS) attack against a Grafana Enterprise instance.

How to fix CVE-2021-28148

To remediate CVE-2021-28148, upgrade the affected package to a fixed version below.

—upgrade to 6.7.6 or later

Is CVE-2021-28148 being exploited?

Moderate — EPSS is 7.2%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

>= 6.0.0, < 6.7.6, >= 7.0.0, < 7.3.10, >= 7.4.0, < 7.4.5

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (9)

WEBcommunity.grafana.com/t/grafana-enterprise-6-7-6-7-3-10-and-7-4-5-security-update/44724
WEBcommunity.grafana.com/t/release-notes-v6-7-x/27119
WEBgrafana.com/blog/2021/03/18/grafana-6.7.6-7.3.10-and-7.4.5-released-with-important-security-fixes-for-grafana-enterprise/
WEB