Request Filtering Bypass in Grafana Enterprise by Grafana Labs
CVE-2023-4399

7.2HIGH

Key Information:

Vendor: Grafana
Status: Grafana Enterprise
Vendor: CVE Published:; 17 October 2023

What is CVE-2023-4399?

Grafana Enterprise, a popular open-source monitoring and observability platform, contains a vulnerability in its Request security feature. This feature is designed to prevent access to specific hosts by utilizing a deny list approach configured by administrators. However, an exploit has been identified that allows an attacker to bypass these restrictions through the use of punycode encoding in the request address. By manipulating this encoding, unauthorized requests may be sent to hosts that were intended to be restricted, potentially leading to unauthorized data access and other security risks.

Affected Version(s)

Grafana Enterprise 10.1.0 < 10.1.5

Grafana Enterprise 10.0.0 < 10.0.9

Grafana Enterprise 9.5.0 < 9.5.13

References

https://grafana.com/security/security-advisories/cve-2023...

https://security.netapp.com/advisory/ntap-20231208-0003/

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 17, 2023
Vulnerability Reserved
Aug 17, 2023