Bug 2262000 (CVE-2023-6152)

Summary: CVE-2023-6152 grafana: email verification bypass
Product: [Other] Security Response Reporter: Nick Tait <ntait>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: amctagga, aoconnor, bniver, dfreiber, drow, flucifre, gmeno, gparvin, jburrell, jwendell, lbainbri, mbenjamin, mhackett, njean, owatkins, pahickey, rcernich, rhaigner, saroy, security-response-team, sfeifer, sidakwo, sipoyare, sostapov, twalsh, vereddy, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: grafana 10.3.1, grafana 10.2.3, grafana 10.1.6, grafana 10.0.10 Doc Type: If docs needed, set a value
Doc Text:
An authentication bypass vulnerability was found in the verify_email_enabled feature of Grafana. Even when enabled, this configuration option does not fully enforce email verification. This issue could allow a remote attacker that has authenticated with basic credentials to change the email address to use an unverified address. Successful exploitation could allow evasion of an organization's email domain filtering rules. An example of this is permitting a user in blocklisted countries or service providers to utilize a service.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2262002, 2262003, 2262004, 2270491, 2270493, 2282773    
Bug Blocks: 2262001    

Description Nick Tait 2024-01-30 21:28:58 UTC 
From a direct private report from Grafana:

On November 21st, 2023 we verified the existence of a vulnerability that allows email verification bypass when using basic authentication in Grafana Enterprise (on-premises).
Your Grafana instance is vulnerable only if you use Grafana basic authentication <https://go.grafana.com/MzU2LVlGRy0zODkAAAGQ-uA6C7nzuSa-sr-ExDECDtkQsqBtkIPyWCp7OfehAPZ64TOkmW-HiQcbNpcFuB_YOIOgltA=> and are running Grafana 10.3.1 or older. In that event, we recommend updating to one of the following releases as soon as possible.


	- Download release 10.3.2 <https://go.grafana.com/MzU2LVlGRy0zODkAAAGQ-uA6C8S_Cz1tUCernvTZvi4mneGv1WWkbomZk-R_qGfUcn0dSYGHEj6oMOQ6xosW41neehs=>
	- Download release 10.2.4 <https://go.grafana.com/MzU2LVlGRy0zODkAAAGQ-uA6CyNBESwiikXLTGjyZ3LoPanL4q354F38rk1Gueimv1AbVhL1ISUhWj0NgsdKHS-cULI=>
	- Download release 10.1.7 <https://go.grafana.com/MzU2LVlGRy0zODkAAAGQ-uA6C1IyO-8-e6A3CUBGPhvAbJGceSMEmxiY5YBxpd6ZVV2ISoU-ofGtoOfUSP92dbajcDI=>
	- Download release 10.0.11 <https://go.grafana.com/MzU2LVlGRy0zODkAAAGQ-uA6CzPx8ELeU5yhdx0nNyGcTTgHwxlUtBdPsEi2pKTOlZxfVls9KxyukstN-3B_g5_t7Ms=>
	- Download release 9.5.16 <https://go.grafana.com/MzU2LVlGRy0zODkAAAGQ-uA6C0sB6RxHd6sz_xeK93vidn_6mesDSkP5ywG6Y_BxVwTYI-6m4IB_7UV0WJxJ92BZZgc=>


Grafana Cloud customers are not impacted by this vulnerability so no action is required.
Lastly, please do not publicly share this information with any third parties until it is made available by us on our blog <https://go.grafana.com/MzU2LVlGRy0zODkAAAGQ-uA6C3MrOxv6kBBVfiQ9cWzYgSyB0KSWJARD94n7X-WXFj8TgAyi-tthrAOGbCDHQsmTHx0=>.
Comment 9 Anten Skrabec 2024-05-22 21:26:22 UTC 
Created grafana tracking bugs for this issue:

Affects: fedora-all [bug 2282773]