CVE-2023-2183
published 2023-06-06CVE-2023-2183: Grafana is an open-source platform for monitoring and observability. The option to send a test alert is not available from the user panel UI for users having…
PriorityP337medium6.4CVSS 3.1
AVNACLPRLUINSCCLILAN
EPSS
1.03%
59.3th percentile
Grafana is an open-source platform for monitoring and observability.
The option to send a test alert is not available from the user panel UI for users having the Viewer role. It is still possible for a user with the Viewer role to send a test alert using the API as the API does not check access to this function.
This might enable malicious users to abuse the functionality by sending multiple alert messages to e-mail and Slack, spamming users, prepare Phishing attack or block SMTP server.
Users may upgrade to version 9.5.3, 9.4.12, 9.3.15, 9.2.19 and 8.5.26 to receive a fix.
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | grafana_grafana | >= 0 < 8.5.26 | 8.5.26 |
| github.com | grafana_grafana | >= 9.0.0 < 9.2.19 | 9.2.19 |
| github.com | grafana_grafana | >= 9.3.0 < 9.3.15 | 9.3.15 |
| github.com | grafana_grafana | >= 9.4.0 < 9.4.12 | 9.4.12 |
| github.com | grafana_grafana | >= 9.5.0 < 9.5.3 | 9.5.3 |
| grafana | grafana | >= 8.0.0 < 8.5.26 | 8.5.26 |
| grafana | grafana | >= 9.0.0 < 9.2.19 | 9.2.19 |
| grafana | grafana | >= 9.3.0 < 9.3.15 | 9.3.15 |
| grafana | grafana | >= 9.4.0 < 9.4.12 | 9.4.12 |
| grafana | grafana | >= 9.5.0 < 9.5.3 | 9.5.3 |
| grafana | grafana_enterprise | >= 8.0.0 < 8.5.26 | 8.5.26 |
| grafana | grafana_enterprise | >= 9.0.0 < 9.2.19 | 9.2.19 |
| grafana | grafana_enterprise | >= 9.3.0 < 9.3.15 | 9.3.15 |
| grafana | grafana_enterprise | >= 9.4.0 < 9.4.12 | 9.4.12 |
| grafana | grafana_enterprise | >= 9.5.0 < 9.5.3 | 9.5.3 |
CVSS provenance
nvdv3.16.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
osv6.4MEDIUM
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Grafana has Broken Access Control in Alert manager: Viewer can send test alerts
ghsa·2023-06-12
CVE-2023-2183 [MEDIUM] CWE-284 Grafana has Broken Access Control in Alert manager: Viewer can send test alerts
Grafana has Broken Access Control in Alert manager: Viewer can send test alerts
### Summary
Grafana allows an attacker in the Viewer role, send alerts by API Alert - Test. The option is not available from the user panel UI for in the Viewer role.
**Reason for the error**: The API does not check access to this function and allows it by users with the least rights, for example, the Viewer that does not see this option in the user panel.
This enables malicious users to abuse the functionality by sending multiple alert messages (e-mail, slack, etc…), spamming users, prepare Phishing attack or blocked SMTP server / IP and automatically moved all message to spam folder, add to black list IP.
### Details
The logged-in user, in the Viewer role, in the user panel, does not have access to the t
OSV
Grafana has Broken Access Control in Alert manager: Viewer can send test alerts
osv·2023-06-12
CVE-2023-2183 [MEDIUM] Grafana has Broken Access Control in Alert manager: Viewer can send test alerts
Grafana has Broken Access Control in Alert manager: Viewer can send test alerts
### Summary
Grafana allows an attacker in the Viewer role, send alerts by API Alert - Test. The option is not available from the user panel UI for in the Viewer role.
**Reason for the error**: The API does not check access to this function and allows it by users with the least rights, for example, the Viewer that does not see this option in the user panel.
This enables malicious users to abuse the functionality by sending multiple alert messages (e-mail, slack, etc…), spamming users, prepare Phishing attack or blocked SMTP server / IP and automatically moved all message to spam folder, add to black list IP.
### Details
The logged-in user, in the Viewer role, in the user panel, does not have access to the t
OSV
CVE-2023-2183: Grafana is an open-source platform for monitoring and observability
osv·2023-06-06·CVSS 6.4
CVE-2023-2183 [MEDIUM] CVE-2023-2183: Grafana is an open-source platform for monitoring and observability
Grafana is an open-source platform for monitoring and observability. The option to send a test alert is not available from the user panel UI for users having the Viewer role. It is still possible for a user with the Viewer role to send a test alert using the API as the API does not check access to this function. This might enable malicious users to abuse the functionality by sending multiple alert messages to e-mail and Slack, spamming users, prepare Phishing attack or block SMTP server. Users may upgrade to version 9.5.3, 9.4.12, 9.3.15, 9.2.19 and 8.5.26 to receive a fix.
Red Hat
grafana: missing access control allows test alerts by underprivileged user
vendor_redhat·2023-06-06·CVSS 4.1
CVE-2023-2183 [MEDIUM] CWE-284 grafana: missing access control allows test alerts by underprivileged user
grafana: missing access control allows test alerts by underprivileged user
Grafana is an open-source platform for monitoring and observability.
The option to send a test alert is not available from the user panel UI for users having the Viewer role. It is still possible for a user with the Viewer role to send a test alert using the API as the API does not check access to this function.
This might enable malicious users to abuse the functionality by sending multiple alert messages to e-mail and Slack, spamming users, prepare Phishing attack or block SMTP server.
Users may upgrade to version 9.5.3, 9.4.12, 9.3.15, 9.2.19 and 8.5.26 to receive a fix.
A flaw was found in grafana. This issue may allow a malicious user to craft a request to the API that enables them to send alert messages via
Red Hat
openshift: etcd grpc-proxy vulnerable to The Birthday attack against 64-bit block cipher
vendor_redhat·2023-01-16·CVSS 7.5
CVE-2023-0296 [HIGH] CWE-327 openshift: etcd grpc-proxy vulnerable to The Birthday attack against 64-bit block cipher
openshift: etcd grpc-proxy vulnerable to The Birthday attack against 64-bit block cipher
The Birthday attack against 64-bit block ciphers flaw (CVE-2016-2183) was reported for the health checks port (9979) on etcd grpc-proxy component. Even though the CVE-2016-2183 has been fixed in the etcd components, to enable periodic health checks from kubelet, it was necessary to open up a new port (9979) on etcd grpc-proxy, hence this port might be considered as still vulnerable to the same type of vulnerability. The health checks on etcd grpc-proxy do not contain sensitive data (only metrics data), therefore the potential impact related to this vulnerability is minimal. The CVE-2023-0296 has been assigned to this issue to track the permanent fix in the etcd component.
The Birthday attack against
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/grafana/bugbounty/security/advisories/GHSA-cvm3-pp2j-chr3https://grafana.com/security/security-advisories/cve-2023-2183/https://security.netapp.com/advisory/ntap-20230706-0002/https://github.com/grafana/bugbounty/security/advisories/GHSA-cvm3-pp2j-chr3https://grafana.com/security/security-advisories/cve-2023-2183/https://security.netapp.com/advisory/ntap-20230706-0002/
2023-06-06
Published