ArchLinux: 202111-6: grafana: access restriction bypass
Summary
A security issue has been found in Grafana 8.0 before version 8.2.4. When the fine-grained access control beta feature is enabled and there is more than one organization in the Grafana instance, users with the Organization Admin role can list, add, remove, and update users’ roles in other organizations in which they are not an admin.
Resolution
Upgrade to 8.2.4-1.
# pacman -Syu "grafana>=8.2.4-1"
The problem has been fixed upstream in version 8.2.4.
References
https://github.com/grafana/grafana/security/advisories/GHSA-mpwp-42x6-4wmx https://github.com/grafana/grafana/commit/5fb0bd30e88e8c9211c42c94539c5297e3629d36 https://security.archlinux.org/CVE-2021-41244
Workaround
The issue can be mitigated by turning off the fine-grained access control using a feature flag.