In Grafana, the wrong permission is applied to the alert rule write API endpoint, allowing users with permission to write external alert instances to also write alert rules.
{ "severity": "Medium", "cpes": [ "cpe:2.3:a:grafana:grafana:*:*:*:*:*:go:*:*" ] }