CVE-2021-28148
Published Mar 22, 2021
Last updated 2 years ago
Overview
- Description
- One of the usage insights HTTP API endpoints in Grafana Enterprise 6.x before 6.7.6, 7.x before 7.3.10, and 7.4.x before 7.4.5 is accessible without any authentication. This allows any unauthenticated user to send an unlimited number of requests to the endpoint, leading to a denial of service (DoS) attack against a Grafana Enterprise instance.
- Source
- cve@mitre.org
- NVD status
- Analyzed
Social media
- Hype score
- Not currently trending
Risk scores
CVSS 3.1
- Type
- Primary
- Base score
- 7.5
- Impact score
- 3.6
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- Severity
- HIGH
CVSS 2.0
- Type
- Primary
- Base score
- 5
- Impact score
- 2.9
- Exploitability score
- 10
- Vector string
- AV:N/AC:L/Au:N/C:N/I:N/A:P
Weaknesses
- nvd@nist.gov
- CWE-306
Configurations
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:enterprise:*:*:*",
"vulnerable": true,
"matchCriteriaId": "57D0867F-AE3E-4527-B891-CE8DD0CC4536",
"versionEndExcluding": "6.7.6",
"versionStartIncluding": "6.0.0"
},
{
"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:enterprise:*:*:*",
"vulnerable": true,
"matchCriteriaId": "B3EB7759-355F-4E65-8227-1BB21F74C167",
"versionEndExcluding": "7.3.10",
"versionStartIncluding": "7.0.0"
},
{
"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:enterprise:*:*:*",
"vulnerable": true,
"matchCriteriaId": "7CFD90C0-68A4-40F8-82FF-4B161A38C378",
"versionEndExcluding": "7.4.5",
"versionStartIncluding": "7.4.0"
}
],
"operator": "OR"
}
]
}
]