Information Exposure Affecting github.com/grafana/grafana/pkg/api package, versions <7.5.15 >=8.0.0 <8.3.5
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-GOLANG-GITHUBCOMGRAFANAGRAFANAPKGAPI-2396335
- published 9 Feb 2022
- disclosed 9 Feb 2022
- credit Kürşad ALSAN
Introduced: 9 Feb 2022
CVE-2022-21713 Open this link in a new tabHow to fix?
Upgrade github.com/grafana/grafana/pkg/api to version 7.5.15, 8.3.5 or higher.
Overview
github.com/grafana/grafana/pkg/api is an open and composable observability and data visualization platform.
Affected versions of this package are vulnerable to Information Exposure. This vulnerability only impacts the following API endpoints:
/teams/:teamId - an authenticated attacker can view unintended data by querying for the specific team ID.
/teams/:search - an authenticated attacker can search for teams and see the total number of available teams, including for those teams that the user does not have access to.
/teams/:teamId/members - when editors_can_admin flag is enabled, an authenticated attacker can see unintended data by querying for the specific team ID.