Description
One of the usage insights HTTP API endpoints in Grafana Enterprise 6.x before 6.7.6, 7.x before 7.3.10, and 7.4.x before 7.4.5 is accessible without any authentication. This allows any unauthenticated user to send an unlimited number of requests to the endpoint, leading to a denial of service (DoS) attack against a Grafana Enterprise instance.
References (8)
Core 8
Core References
Release Notes, Vendor Advisory x_refsource_misc
https://community.grafana.com/t/release-notes-v6-7-x/27119
Product, Vendor Advisory x_refsource_misc
https://grafana.com/products/enterprise/
Mailing List, Third Party Advisory x_refsource_confirm
https://www.openwall.com/lists/oss-security/2021/03/19/5
Release Notes, Vendor Advisory x_refsource_confirm
https://grafana.com/blog/2021/03/18/grafana-6.7.6-7.3.10-and-7.4.5-released-with-important-security-fixes-for-grafana-enterprise/
Vendor Advisory x_refsource_misc
https://community.grafana.com/t/grafana-enterprise-6-7-6-7-3-10-and-7-4-5-security-update/44724
Release Notes, Vendor Advisory x_refsource_misc
https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-3-10/
Release Notes, Vendor Advisory x_refsource_misc
https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-4-5/
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20210430-0005/
Scores
CVSS v3
7.5
EPSS
0.0350
EPSS Percentile
87.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Details
CWE
CWE-306
Status
published
Products (1)
grafana/grafana
6.0.0 - 6.7.6
Published
Mar 22, 2021
Tracked Since
Feb 18, 2026