Description

One of the usage insights HTTP API endpoints in Grafana Enterprise 6.x before 6.7.6, 7.x before 7.3.10, and 7.4.x before 7.4.5 is accessible without any authentication. This allows any unauthenticated user to send an unlimited number of requests to the endpoint, leading to a denial of service (DoS) attack against a Grafana Enterprise instance.

Remediation

References

CVE-2021-28148

Related Vulnerabilities

WordPress Plugin Newsletter Multiple Vulnerabilities (6.8.1)

MySQL CVE-2021-2304 Vulnerability (CVE-2021-2304)

Oracle JRE CVE-2019-2977 Vulnerability (CVE-2019-2977)

WordPress Plugin OAuth client Single Sign On for WordPress (OAuth 2.0 SSO) Security Bypass (3.0.3)

Perl Improper Restriction of Operations within the Bounds of a Memory Buffer Vulnerability (CVE-2017-12883)

Severity

High

Classification

CVE-2021-28148 CWE-287 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L

Tags

Missing Update Known Vulnerabilities