2262000 – (CVE-2023-6152) CVE-2023-6152 grafana: email verification bypass

Bug 2262000 (CVE-2023-6152) - CVE-2023-6152 grafana: email verification bypass

Summary: CVE-2023-6152 grafana: email verification bypass

Keywords:
Status:	NEW
Alias:	CVE-2023-6152
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2262002 2262003 2262004 2270491 2270493 2282773
Blocks:	2262001
TreeView+	depends on / blocked

Reported:	2024-01-30 21:28 UTC by Nick Tait
Modified:	2024-05-23 19:38 UTC (History)
CC List:	27 users (show)
Fixed In Version:	grafana 10.3.1, grafana 10.2.3, grafana 10.1.6, grafana 10.0.10
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Nick Tait 2024-01-30 21:28:58 UTC

From a direct private report from Grafana:

On November 21st, 2023 we verified the existence of a vulnerability that allows email verification bypass when using basic authentication in Grafana Enterprise (on-premises).
Your Grafana instance is vulnerable only if you use Grafana basic authentication <https://go.grafana.com/MzU2LVlGRy0zODkAAAGQ-uA6C7nzuSa-sr-ExDECDtkQsqBtkIPyWCp7OfehAPZ64TOkmW-HiQcbNpcFuB_YOIOgltA=> and are running Grafana 10.3.1 or older. In that event, we recommend updating to one of the following releases as soon as possible.


	- Download release 10.3.2 <https://go.grafana.com/MzU2LVlGRy0zODkAAAGQ-uA6C8S_Cz1tUCernvTZvi4mneGv1WWkbomZk-R_qGfUcn0dSYGHEj6oMOQ6xosW41neehs=>
	- Download release 10.2.4 <https://go.grafana.com/MzU2LVlGRy0zODkAAAGQ-uA6CyNBESwiikXLTGjyZ3LoPanL4q354F38rk1Gueimv1AbVhL1ISUhWj0NgsdKHS-cULI=>
	- Download release 10.1.7 <https://go.grafana.com/MzU2LVlGRy0zODkAAAGQ-uA6C1IyO-8-e6A3CUBGPhvAbJGceSMEmxiY5YBxpd6ZVV2ISoU-ofGtoOfUSP92dbajcDI=>
	- Download release 10.0.11 <https://go.grafana.com/MzU2LVlGRy0zODkAAAGQ-uA6CzPx8ELeU5yhdx0nNyGcTTgHwxlUtBdPsEi2pKTOlZxfVls9KxyukstN-3B_g5_t7Ms=>
	- Download release 9.5.16 <https://go.grafana.com/MzU2LVlGRy0zODkAAAGQ-uA6C0sB6RxHd6sz_xeK93vidn_6mesDSkP5ywG6Y_BxVwTYI-6m4IB_7UV0WJxJ92BZZgc=>


Grafana Cloud customers are not impacted by this vulnerability so no action is required.
Lastly, please do not publicly share this information with any third parties until it is made available by us on our blog <https://go.grafana.com/MzU2LVlGRy0zODkAAAGQ-uA6C3MrOxv6kBBVfiQ9cWzYgSyB0KSWJARD94n7X-WXFj8TgAyi-tthrAOGbCDHQsmTHx0=>.

Comment 9 Anten Skrabec 2024-05-22 21:26:22 UTC

Created grafana tracking bugs for this issue:

Affects: fedora-all [bug 2282773]

Note You need to log in before you can comment on or make changes to this bug.

amctagga
aoconnor
bniver
dfreiber
drow
flucifre
gmeno
gparvin
jburrell
jwendell
lbainbri
mbenjamin
mhackett
njean
owatkins
pahickey
rcernich
rhaigner
saroy
security-response-team
sfeifer
sidakwo
sipoyare
sostapov
twalsh
vereddy
vkumar