CVE-2021-41244
📋 TL;DR
This vulnerability in Grafana allows organization administrators to access and modify users in other organizations when fine-grained access control is enabled. It affects Grafana instances with multiple organizations running versions 8.0 through 8.2.3 with the beta feature enabled.
💻 Affected Systems
- Grafana
📦 What is this software?
Grafana by Grafana
⚠️ Risk & Real-World Impact
Worst Case
Organization admins could gain unauthorized access to all organizations, modify user roles, escalate privileges, and potentially compromise the entire monitoring infrastructure.
Likely Case
Organization admins accidentally or intentionally accessing users in other organizations they shouldn't have access to, leading to privilege escalation and data exposure.
If Mitigated
Limited to authorized organization admins only accessing their own organization's users as intended.
🎯 Exploit Status
Requires authenticated organization admin access. The vulnerability is straightforward to exploit once conditions are met.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.2.4 and later
Vendor Advisory: https://github.com/grafana/grafana/security/advisories/GHSA-mpwp-42x6-4wmx
Restart Required: Yes
Instructions:
1. Backup your Grafana configuration and data. 2. Download Grafana 8.2.4 or later from official sources. 3. Stop Grafana service. 4. Install the new version. 5. Start Grafana service. 6. Verify functionality.
🔧 Temporary Workarounds
Disable fine-grained access control
allTurn off the beta feature flag for fine-grained access control
Edit grafana.ini and set: [feature_toggles] enable = fineGrainedAccessControl false
Or set environment variable: GF_FEATURE_TOGGLES_ENABLE=grafana-access-control-token
🧯 If You Can't Patch
- Disable fine-grained access control beta feature immediately
- Restrict organization admin roles to trusted users only and monitor their activities
🔍 How to Verify
Check if Vulnerable:
Check Grafana version and feature flags: 1. Navigate to Administration → About in Grafana UI. 2. Check if version is between 8.0 and 8.2.3. 3. Check if fine-grained access control is enabled in feature flags.Check Version:
grafana-cli --version or check /api/health endpointVerify Fix Applied:
1. Confirm Grafana version is 8.2.4 or higher. 2. Verify organization admins can only access users in their own organization. 3. Test cross-organization user access attempts fail.📡 Detection & Monitoring
Log Indicators:
- Organization admin accessing users from other organizations
- Unauthorized user role modifications across organizations
- Failed access attempts to other organizations' users
Network Indicators:
- API calls to /api/orgs/[other_org_id]/users endpoints from unauthorized sources
SIEM Query:
source="grafana" AND ("org_users" OR "update_role") AND org_id!="current_org"🔗 References
- http://www.openwall.com/lists/oss-security/2021/11/15/1
- https://github.com/grafana/grafana/security/advisories/GHSA-mpwp-42x6-4wmx
- https://grafana.com/blog/2021/11/15/grafana-8.2.4-released-with-security-fixes/
- https://security.netapp.com/advisory/ntap-20211223-0001/
- http://www.openwall.com/lists/oss-security/2021/11/15/1
- https://github.com/grafana/grafana/security/advisories/GHSA-mpwp-42x6-4wmx
- https://grafana.com/blog/2021/11/15/grafana-8.2.4-released-with-security-fixes/
- https://security.netapp.com/advisory/ntap-20211223-0001/
