Improper Access Control in Grafana Monitoring Platform
CVE-2023-2183

6.4MEDIUM

Key Information:

Vendor: Grafana
Status: Grafana; Grafana Enterprise
Vendor: CVE Published:; 6 June 2023

Summary

Grafana, a prominent open-source platform for monitoring and observability, suffers from an improper access control vulnerability. Users with the Viewer role can exploit the API to send test alerts, despite the UI restricting this action. This oversight could allow malicious actors to inundate users with spam alerts via email and Slack, potentially facilitating phishing attacks or causing disruption to SMTP servers. To mitigate this risk, users are advised to upgrade to versions 9.5.3, 9.4.12, 9.3.15, 9.2.19, or 8.5.26.

Affected Version(s)

Grafana 8.0.0 < 8.5.26

Grafana 9.0.0 < 9.2.19

Grafana 9.3.0 < 9.3.15

References

https://grafana.com/security/security-advisories/cve-2023...

https://github.com/grafana/bugbounty/security/advisories/...

https://security.netapp.com/advisory/ntap-20230706-0002/

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Jun 6, 2023
Vulnerability Reserved
Apr 19, 2023