Headline
CVE-2022-21713: Security: Sync security changes on main by dsotirakis · Pull Request #45083 · grafana/grafana
Grafana is an open-source platform for monitoring and observability. Affected versions of Grafana expose multiple API endpoints which do not properly handle user authorization. /teams/:teamId will allow an authenticated attacker to view unintended data by querying for the specific team ID, /teams/:search will allow an authenticated attacker to search for teams and see the total number of available teams, including for those teams that the user does not have access to, and /teams/:teamId/members when editors_can_admin flag is enabled, an authenticated attacker can see unintended data by querying for the specific team ID. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue.
…i/teams/search
* Teams: Ensure that users searching for teams are only able see teams they have access to * Teams: Require teamGuardian admin privileges to list team members * Teams: Prevent org viewers from administering teams * Teams: Add org_id condition to team count query * Teams: clarify permission requirements in teams api docs * Teams: expand scenarios for team search tests * Teams: mock teamGuardian in tests
Co-authored-by: Dan Cech [email protected]
(cherry picked from commit 202d7c190082c094bc1dc13f7fe9464746c37f9e)
(cherry picked from commit 3e6b67d5504abf4a1d7b8d621f04d062c048e981)
(cherry picked from commit 70b4458892bf2f776302720c10d24c9ff34edd98)
(cherry picked from commit 3adaa5ff39832364f6390881fb5b42ad47df92e1)
(cherry picked from commit 5443892699e8ed42836bb2b9a44744ff3e970f42)
(cherry picked from commit b2ffbc9513fed75468628370a48b929d30af2b1d)
(cherry picked from commit 8b81dc12d8f8a1f07852809c5b4d44f0f0b1d709)
(cherry picked from commit 16f76f4902e6f2188bea9606c68b551af186bdc0)
(cherry picked from commit a7e61811ef8ae558ce721e2e3fed04ce7a5a5345)