Description

One of the usage insights HTTP API endpoints in Grafana Enterprise 6.x before 6.7.6, 7.x before 7.3.10, and 7.4.x before 7.4.5 is accessible without any authentication. This allows any unauthenticated user to send an unlimited number of requests to the endpoint, leading to a denial of service (DoS) attack against a Grafana Enterprise instance.

Remediation

References

CVE-2021-28148

Related Vulnerabilities

WordPress Plugin PHP Event Calendar for WordPress Arbitrary File Upload (1.6)

Payara Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Vulnerability (CVE-2022-37422)

WordPress Plugin Content Audit Blind SQL Injection (1.6)

Moodle Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2020-25703)

WordPress Plugin AdRotate-Ad manager & AdSense Ads SQL Injection (3.9.4)

Severity

High

Classification

CVE-2021-28148 CWE-287 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Tags

Missing Update Known Vulnerabilities