CVE-2023-2183 Broken access control test alerts The application allows an attacker in the Viewer role, send alerts by API Alert - Test. The option is not available from the user panel UI for the Viewer role. The API does not check access to this function and allows it by users with the least rights, for example, the Viewer that does not see this option in the user panel. This enables malicious users to abuse the functionality by sending multiple alert messages (e-mail, slack, etc…), spamming users, prepare Phishing attack or blocked SMTP server / IP and automatically moved all message to spam folder, add to black list IP. Affected Versions Grafana 8.5 - Grafana 10
Created grafana tracking bugs for this issue: Affects: fedora-all [bug 2214616]
This issue has been addressed in the following products: Red Hat Ceph Storage 6.1 Via RHSA-2023:7740 https://access.redhat.com/errata/RHSA-2023:7740
This issue has been addressed in the following products: Red Hat Ceph Storage 6.1 Via RHSA-2023:7741 https://access.redhat.com/errata/RHSA-2023:7741