CVE-2023-6152 — Incorrect Authorization in Grafana

CWE-863 — Incorrect Authorization CWE-302 — Authentication Bypass by Assumed-Immutable Data6 documents5 sources

Severity

5.4MEDIUMNVD

EPSS

0.2%

top 54.27%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Grafana Grafana Enterprise Github.com Grafana Grafana

Timeline

PublishedFeb 13

Latest updateFeb 14

Description

A user changing their email after signing up and verifying it can change it without verification in profile settings. The configuration option "verify_email_enabled" will only validate email only on sign up.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:LExploitability: 2.8 | Impact: 2.5

Affected Packages4 packages

▶CVEListV5grafana/grafana2.5.0 — 9.5.16+4

▶CVEListV5grafana/grafana_enterprise2.5.0 — 9.5.16+4

▶Gogithub.com/grafana_grafana2.5.0 — 9.5.16+4

▶NVDgrafana/grafana2.5.0+4

🔴Vulnerability Details

CVEList

CVE-2023-6152: A user changing their email after signing up and verifying it can change it without verification in profile settings↗2024-02-13

▶

OSV

Email Validation Bypass And Preventing Sign Up From Email's Owner↗2024-02-13

▶

OSV

CVE-2023-6152: A user changing their email after signing up and verifying it can change it without verification in profile settings↗2024-02-13

▶

GHSA

Email Validation Bypass And Preventing Sign Up From Email's Owner↗2024-02-13

▶

📋Vendor Advisories

Red Hat

grafana: email verification bypass↗2024-02-14

▶