Alpine: multiple grafana packages: security update to 7.4.3-r0 (deprecated)

high Tenable Cloud Security Plugin ID 400257

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- Grafana Enterprise 7.2.x and 7.3.x before 7.3.10 and 7.4.x before 7.4.5 allows a dashboard editor to
bypass a permission check concerning a data source they should not be able to access. (CVE-2021-27962)

- The team sync HTTP API in Grafana Enterprise 7.4.x before 7.4.5 has an Incorrect Access Control issue. On
Grafana instances using an external authentication service, this vulnerability allows any authenticated
user to add external groups to existing teams. This can be used to grant a user team permissions that the
user isn't supposed to have. (CVE-2021-28146)

- The team sync HTTP API in Grafana Enterprise 6.x before 6.7.6, 7.x before 7.3.10, and 7.4.x before 7.4.5
has an Incorrect Access Control issue. On Grafana instances using an external authentication service and
having the EditorsCanAdmin feature enabled, this vulnerability allows any authenticated user to add
external groups to any existing team. This can be used to grant a user team permissions that the user
isn't supposed to have. (CVE-2021-28147)

- One of the usage insights HTTP API endpoints in Grafana Enterprise 6.x before 6.7.6, 7.x before 7.3.10,
and 7.4.x before 7.4.5 is accessible without any authentication. This allows any unauthenticated user to
send an unlimited number of requests to the endpoint, leading to a denial of service (DoS) attack against
a Grafana Enterprise instance. (CVE-2021-28148)

See Also

https://git.alpinelinux.org/aports/commit/?id=463d4e98ecdc385336015319e56195f95ec0ad6c

https://git.alpinelinux.org/aports/commit/?id=8aabf22aba217df23807fad765701443797a579e

Plugin Details

Severity: High

ID: 400257

Version: Revision 1.23

Type: Local

Published: 8/16/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3.5

Percentile: 51.63

CVSS v2

Risk Factor: Medium

Base Score: 4.9

Temporal Score: 3.6

Vector: CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:N

CVSS Score Source: CVE-2021-27962

CVSS v3

Risk Factor: High

Base Score: 7.1

Temporal Score: 6.2

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 3/20/2021

Vulnerability Publication Date: 3/22/2021

Reference Information

CVE: CVE-2021-27962, CVE-2021-28146, CVE-2021-28147, CVE-2021-28148