CVE-2023-4822
published 2023-10-16CVE-2023-4822: Grafana is an open-source platform for monitoring and observability. The vulnerability impacts Grafana instances with several organizations, and allows a user…
PriorityP340high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EPSS
1.07%
60.8th percentile
Grafana is an open-source platform for monitoring and observability. The vulnerability impacts Grafana instances with several organizations, and allows a user with Organization Admin permissions in one organization to change the permissions associated with Organization Viewer, Organization Editor and Organization Admin roles in all organizations.
It also allows an Organization Admin to assign or revoke any permissions that they have to any user globally.
This means that any Organization Admin can elevate their own permissions in any organization that they are already a member of, or elevate or restrict the permissions of any other user.
The vulnerability does not allow a user to become a member of an organization that they are not already a member of, or to add any other users to an organization that the current user is not a member of.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | grafana_grafana | 0 – 10.1.5 | — |
| grafana | grafana | — | — |
| grafana | grafana | >= 10.0.0 < 10.0.7 | 10.0.7 |
| grafana | grafana | >= 10.1.0 < 10.1.3 | 10.1.3 |
| grafana | grafana | >= 8.0.0 < 9.4.16 | 9.4.16 |
| grafana | grafana | >= 9.5.0 < 9.5.11 | 9.5.11 |
| grafana | grafana_enterprise | >= 10.0.0 < 10.0.7 | 10.0.7 |
| grafana | grafana_enterprise | >= 10.1.0 < 10.1.3 | 10.1.3 |
| grafana | grafana_enterprise | >= 8.0.0 < 9.4.16 | 9.4.16 |
| grafana | grafana_enterprise | >= 9.5.0 < 9.5.11 | 9.5.11 |
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
osv7.2HIGH
vendor_redhat6.7MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Grafana privilege escalation vulnerability
ghsa·2023-10-16
CVE-2023-4822 [MEDIUM] CWE-269 Grafana privilege escalation vulnerability
Grafana privilege escalation vulnerability
Grafana is an open-source platform for monitoring and observability. The vulnerability impacts instances with several organizations, and allows a user with Organization Admin permissions in one organization to change the permissions associated with Organization Viewer, Organization Editor and Organization Admin roles in all organizations.
It also allows an Organization Admin to assign or revoke any permissions that they have to any user globally.
This means that any Organization Admin can elevate their own permissions in any organization that they are already a member of, or elevate or restrict the permissions of any other user.
The vulnerability does not allow a user to become a member of an organization that they are not already a member of,
OSV
Grafana privilege escalation vulnerability
osv·2023-10-16
CVE-2023-4822 [MEDIUM] Grafana privilege escalation vulnerability
Grafana privilege escalation vulnerability
Grafana is an open-source platform for monitoring and observability. The vulnerability impacts instances with several organizations, and allows a user with Organization Admin permissions in one organization to change the permissions associated with Organization Viewer, Organization Editor and Organization Admin roles in all organizations.
It also allows an Organization Admin to assign or revoke any permissions that they have to any user globally.
This means that any Organization Admin can elevate their own permissions in any organization that they are already a member of, or elevate or restrict the permissions of any other user.
The vulnerability does not allow a user to become a member of an organization that they are not already a member of,
OSV
CVE-2023-4822: Grafana is an open-source platform for monitoring and observability
osv·2023-10-16·CVSS 7.2
CVE-2023-4822 [HIGH] CVE-2023-4822: Grafana is an open-source platform for monitoring and observability
Grafana is an open-source platform for monitoring and observability. The vulnerability impacts Grafana instances with several organizations, and allows a user with Organization Admin permissions in one organization to change the permissions associated with Organization Viewer, Organization Editor and Organization Admin roles in all organizations. It also allows an Organization Admin to assign or revoke any permissions that they have to any user globally. This means that any Organization Admin can elevate their own permissions in any organization that they are already a member of, or elevate or restrict the permissions of any other user. The vulnerability does not allow a user to become a member of an organization that they are not already a member of, or to add any other users to an organi
Red Hat
grafana: incorrect assessment of permissions across organizations
vendor_redhat·2023-10-12·CVSS 6.7
CVE-2023-4822 [MEDIUM] grafana: incorrect assessment of permissions across organizations
grafana: incorrect assessment of permissions across organizations
Grafana is an open-source platform for monitoring and observability. The vulnerability impacts Grafana instances with several organizations, and allows a user with Organization Admin permissions in one organization to change the permissions associated with Organization Viewer, Organization Editor and Organization Admin roles in all organizations.
It also allows an Organization Admin to assign or revoke any permissions that they have to any user globally.
This means that any Organization Admin can elevate their own permissions in any organization that they are already a member of, or elevate or restrict the permissions of any other user.
The vulnerability does not allow a user to become a member of an organization that they
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2023-10-16
Published