On Jan. 18, an external security researcher, Kürşad ALSAN from NSPECT.IO (@nspectio on Twitter), contacted Grafana to disclose an IDOR (Insecure Direct Object Reference) vulnerability on Grafana Teams APIs. This vulnerability only impacts the following API endpoints:
-
/teams/:teamId - an authenticated attacker can view unintended data by querying for the specific team ID.
-
/teams/:search - an authenticated attacker can search for teams and see the total number of available teams, including for those teams that the user does not have access to.
-
/teams/:teamId/members - when editors_can_admin flag is enabled, an authenticated attacker can see unintended data by querying for the specific team ID.
We believe that this vulnerability is rated at CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).