Bug 2239726 (CVE-2023-4822)

Summary: CVE-2023-4822 grafana: incorrect assessment of permissions across organizations
Product: [Other] Security Response Reporter: Zack Miele <zmiele>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aazores, ahanwate, amctagga, aoconnor, bniver, chazlett, dfreiber, eaguilar, ebaron, flucifre, gmeno, gparvin, jburrell, jkang, jpallich, jwendell, mbenjamin, mhackett, njean, owatkins, pahickey, pjindal, rcernich, rhaigner, rogbas, security-response-team, sfroberg, sostapov, stcannon, teagle, twalsh, vereddy, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: grafana 10.1.3, grafana 10.0.7, grafana 9.5.11, grafana 9.4.16 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Grafana enterprise package. Grafana is incorrectly assessing permissions to update global roles and role assignments, therefore, users with administrator permissions in one organization can change global role permissions and global role assignments. After successful exploitation, an attacker who has the Organization Admin role in any organization can elevate their permissions across all organizations, elevate other users’ permissions in all organizations, or limit other users’ permissions in all organizations.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2024-06-12 04:35:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2239735, 2239732, 2239733, 2239734    
Bug Blocks: 2239727    

Description Zack Miele 2023-09-19 20:42:13 UTC 
Grafana is incorrectly assessing permissions to update global roles and role assignments, therefore users with administrator permissions in one organization can change global role permissions and global role assignments.

The CVSS score for this vulnerability is 6.7 Medium.
Impact
If exploited, an attacker who has the Organization Admin role in any organization can elevate their permissions across all organizations, elevate other users’ permissions in all organizations or limit other users’ permissions in all organizations.

The vulnerability does not allow the attacker to become a member of an organization that they are not already a member of, or to add any other user to an organization that the attacker is not a member of.

Potentially breaking changes and resolution explanation

We now require users to be Grafana server administrators in order to update global roles and global role assignments. If you were relying on organization administrators being able to do that, you will now also need to grant Grafana server administrator privileges to them.

Impacted versions

Grafana 8.0.0 to Grafana 10.0.0 with RBAC enabled, and Grafana 10.0.0 - Grafana 10.1.1. Only Grafana enterprise instances with more than one organization are vulnerable. You can check if RBAC is enabled by calling GET /api/access-control/status.
Comment 4 Sage McTaggart 2024-06-11 14:47:57 UTC 
Avinash, this should be closed as not a bug, I think? but it is fixed in the 7.1 release regardless. (we don't use enterprise grafana)
Comment 5 errata-xmlrpc 2024-06-13 14:21:31 UTC 
This issue has been addressed in the following products:

  Red Hat Ceph Storage 7.1

Via RHSA-2024:3925 https://access.redhat.com/errata/RHSA-2024:3925