CVE-2021-41244: 
Grafana vulnerability analysis and mitigation

CVE-2021-41244 affects Grafana, an open-source platform for monitoring and observability. The vulnerability was discovered during an internal security audit on November 2, 2021, and affects versions 8.0.0 through 8.2.3. The issue occurs when the fine-grained access control beta feature is enabled and there is more than one organization in the Grafana instance. Grafana Cloud instances were not affected by this vulnerability (Grafana Blog, OSS Security).

The vulnerability allows users with the Organization Admin role to list, add, remove, and update users' roles in other organizations where they do not have admin privileges. The CVSS v3.1 base score is rated as 9.1 CRITICAL with a vector string of CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H. The vulnerability is classified as CWE-863 (Incorrect Authorization) and CWE-610 (Externally Controlled Reference to a Resource in Another Sphere) (GitHub Advisory, NVD).

Successful exploitation of this vulnerability could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS). The vulnerability affects organizations using multiple organization setups in Grafana with fine-grained access control beta feature enabled (NetApp Advisory).

Organizations should upgrade to Grafana version 8.2.4 or later as soon as possible. If immediate upgrade is not possible, the recommended workaround is to turn off the fine-grained access control using a feature flag. The vulnerability only affects installations that have fine-grained access control beta enabled and more than one organization (Grafana Blog).