Information Exposure Affecting github.com/grafana/grafana/pkg/api package, versions <7.5.15 >=8.0.0 <8.3.5


0.0
medium

Snyk CVSS

    Attack Complexity Low

    Threat Intelligence

    EPSS 0.15% (51st percentile)
Expand this section
NVD
4.3 medium
Expand this section
SUSE
4.3 medium
Expand this section
Red Hat
4.3 medium

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-GOLANG-GITHUBCOMGRAFANAGRAFANAPKGAPI-2396335
  • published 9 Feb 2022
  • disclosed 9 Feb 2022
  • credit Kürşad ALSAN

How to fix?

Upgrade github.com/grafana/grafana/pkg/api to version 7.5.15, 8.3.5 or higher.

Overview

github.com/grafana/grafana/pkg/api is an open and composable observability and data visualization platform.

Affected versions of this package are vulnerable to Information Exposure. This vulnerability only impacts the following API endpoints:

/teams/:teamId - an authenticated attacker can view unintended data by querying for the specific team ID.

/teams/:search - an authenticated attacker can search for teams and see the total number of available teams, including for those teams that the user does not have access to.

/teams/:teamId/members - when editors_can_admin flag is enabled, an authenticated attacker can see unintended data by querying for the specific team ID.