Bug 2210848 (CVE-2023-2183) - CVE-2023-2183 grafana: missing access control allows test alerts by underprivileged user
Summary: CVE-2023-2183 grafana: missing access control allows test alerts by underpriv...
Keywords:
Status: NEW
Alias: CVE-2023-2183
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2210912 2210913 2210914 2210919 2214616
Blocks: 2209803
TreeView+ depends on / blocked
 
Reported: 2023-05-29 18:09 UTC by Anten Skrabec
Modified: 2024-03-02 05:32 UTC (History)
25 users (show)

Fixed In Version: grafana 9.5.3, grafana 9.4.12, grafana 9.3.15, grafana 9.2.19, grafana 8.5.26
Doc Type: ---
Doc Text:
A flaw was found in grafana. This issue may allow a malicious user to craft a request to the API that enables them to send alert messages via the "API Alert - Test".
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:7740 0 None None None 2023-12-12 13:55:31 UTC
Red Hat Product Errata RHSA-2023:7741 0 None None None 2023-12-12 13:56:27 UTC

Description Anten Skrabec 2023-05-29 18:09:05 UTC
CVE-2023-2183 Broken access control test alerts

The application allows an attacker in the Viewer role, send alerts by API Alert - Test. The option is not available from the user panel UI for the Viewer role.

The API does not check access to this function and allows it by users with the least rights, for example, the Viewer that does not see this option in the user panel. This enables malicious users to abuse the functionality by sending multiple alert messages (e-mail, slack, etc…), spamming users, prepare Phishing attack or blocked SMTP server / IP and automatically moved all message to spam folder, add to black list IP.

Affected Versions
Grafana 8.5 - Grafana 10

Comment 5 Avinash Hanwate 2023-06-13 15:26:31 UTC
Created grafana tracking bugs for this issue:

Affects: fedora-all [bug 2214616]

Comment 7 errata-xmlrpc 2023-12-12 13:55:29 UTC
This issue has been addressed in the following products:

  Red Hat Ceph Storage 6.1

Via RHSA-2023:7740 https://access.redhat.com/errata/RHSA-2023:7740

Comment 8 errata-xmlrpc 2023-12-12 13:56:25 UTC
This issue has been addressed in the following products:

  Red Hat Ceph Storage 6.1

Via RHSA-2023:7741 https://access.redhat.com/errata/RHSA-2023:7741


Note You need to log in before you can comment on or make changes to this bug.