CVE-2023-2183 — Improper Access Control in Grafana

CWE-284 — Improper Access Control CWE-862 — Missing Authorization CWE-327 — Use of a Broken or Risky Cryptographic Algorithm7 documents5 sources

Severity

6.4MEDIUMNVD

CNA4.1

EPSS

0.9%

top 24.62%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Grafana Grafana Enterprise Github.com Grafana Grafana

Timeline

PublishedJun 6

Latest updateJun 12

Description

Grafana is an open-source platform for monitoring and observability. The option to send a test alert is not available from the user panel UI for users having the Viewer role. It is still possible for a user with the Viewer role to send a test alert using the API as the API does not check access to this function. This might enable malicious users to abuse the functionality by sending multiple alert messages to e-mail and Slack, spamming users, prepare Phishing attack or block SMTP server. User…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:NExploitability: 3.1 | Impact: 2.7

Affected Packages4 packages

▶CVEListV5grafana/grafana8.0.0 — 8.5.26+4

▶NVDgrafana/grafana8.0.0 — 8.5.26+4

▶CVEListV5grafana/grafana_enterprise8.0.0 — 8.5.26+4

▶Gogithub.com/grafana_grafana9.0.0 — 9.2.19+4

🔴Vulnerability Details

GHSA

Grafana has Broken Access Control in Alert manager: Viewer can send test alerts↗2023-06-12

▶

OSV

Grafana has Broken Access Control in Alert manager: Viewer can send test alerts↗2023-06-12

▶

CVEList

CVE-2023-2183: Grafana is an open-source platform for monitoring and observability↗2023-06-06

▶

OSV

CVE-2023-2183: Grafana is an open-source platform for monitoring and observability↗2023-06-06

▶

📋Vendor Advisories

Red Hat

grafana: missing access control allows test alerts by underprivileged user↗2023-06-06

▶

Red Hat

openshift: etcd grpc-proxy vulnerable to The Birthday attack against 64-bit block cipher↗2023-01-16

▶