CVE-2023-4822Improper Privilege Management in Enterprise

CWE-269Improper Privilege Management6 documents5 sources
Severity
7.2HIGHNVD
CNA6.7
EPSS
0.3%
top 48.43%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Grafana EnterpriseGrafanaGithub.com Grafana Grafana
Timeline
PublishedOct 16

Description

Grafana is an open-source platform for monitoring and observability. The vulnerability impacts Grafana instances with several organizations, and allows a user with Organization Admin permissions in one organization to change the permissions associated with Organization Viewer, Organization Editor and Organization Admin roles in all organizations. It also allows an Organization Admin to assign or revoke any permissions that they have to any user globally. This means that any Organization Admin

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages3 packages

NVDgrafana/grafana8.0.09.4.16+4
CVEListV5grafana/grafana_enterprise8.0.09.4.16+3

🔴Vulnerability Details

4
GHSA
Grafana privilege escalation vulnerability2023-10-16
OSV
Grafana privilege escalation vulnerability2023-10-16
OSV
CVE-2023-4822: Grafana is an open-source platform for monitoring and observability2023-10-16
CVEList
CVE-2023-4822: Grafana is an open-source platform for monitoring and observability2023-10-16

📋Vendor Advisories

1
Red Hat
grafana: incorrect assessment of permissions across organizations2023-10-12
CVE-2023-4822 — Improper Privilege Management | cvebase