Description

One of the usage insights HTTP API endpoints in Grafana Enterprise 6.x before 6.7.6, 7.x before 7.3.10, and 7.4.x before 7.4.5 is accessible without any authentication. This allows any unauthenticated user to send an unlimited number of requests to the endpoint, leading to a denial of service (DoS) attack against a Grafana Enterprise instance.

Remediation

References

CVE-2021-28148

Related Vulnerabilities

Drupal Data Processing Errors Vulnerability (CVE-2016-3171)

OpenSSL Other Vulnerability (CVE-2014-3505)

WordPress Plugin YITH WooCommerce Request A Quote Security Bypass (1.4.7)

WordPress Plugin Multiple Page Generator-MPG Cross-Site Request Forgery (3.3.9)

MySQL CVE-2024-21160 Vulnerability (CVE-2024-21160)

Severity

High

Classification

CVE-2021-28148 CWE-287 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Tags

Missing Update Known Vulnerabilities