FreeBSD: VID-d71d154a-8b83-11ec-b369-6c3be5272acd (CVE-2022-21713): Grafana -- Teams API IDOR

Grafana Labs reports: On Jan. 18, an external security researcher, Kürşad ALSAN from NSPECT.IO (@nspectio on Twitter), contacted Grafana to disclose an IDOR (Insecure Direct Object Reference) vulnerability on Grafana Teams APIs. This vulnerability only impacts the following API endpoints: /teams/:teamId - an authenticated attacker can view unintended data by querying for the specific team ID. /teams/:search - an authenticated attacker can search for teams and see the total number of available teams, including for those teams that the user does not have access to. /teams/:teamId/members - when editors_can_admin flag is enabled, an authenticated attacker can see unintended data by querying for the specific team ID. We believe that this vulnerability is rated at CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).