CVE-2023-2183
First published: Mon May 29 2023(Updated: )
<a href="https://access.redhat.com/security/cve/CVE-2023-2183">CVE-2023-2183</a> Broken access control test alerts The application allows an attacker in the Viewer role, send alerts by API Alert - Test. The option is not available from the user panel UI for the Viewer role. The API does not check access to this function and allows it by users with the least rights, for example, the Viewer that does not see this option in the user panel. This enables malicious users to abuse the functionality by sending multiple alert messages (e-mail, slack, etc…), spamming users, prepare Phishing attack or blocked SMTP server / IP and automatically moved all message to spam folder, add to black list IP. Affected Versions Grafana 8.5 - Grafana 10
Credit: security@grafana.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/grafana | <9.5.3 | 9.5.3 |
| redhat/grafana | <9.4.12 | 9.4.12 |
| redhat/grafana | <9.3.15 | 9.3.15 |
| redhat/grafana | <9.2.19 | 9.2.19 |
| redhat/grafana | <8.5.26 | 8.5.26 |
| Grafana Labs Grafana OSS and Enterprise | >=8.0.0<8.5.26 | |
| Grafana Labs Grafana OSS and Enterprise | >=9.0.0<9.2.19 | |
| Grafana Labs Grafana OSS and Enterprise | >=9.3.0<9.3.15 | |
| Grafana Labs Grafana OSS and Enterprise | >=9.4.0<9.4.12 | |
| Grafana Labs Grafana OSS and Enterprise | >=9.5.0<9.5.3 | |
| >=8.0.0<8.5.26 | ||
| >=9.0.0<9.2.19 | ||
| >=9.3.0<9.3.15 | ||
| >=9.4.0<9.4.12 | ||
| >=9.5.0<9.5.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/grafana/bugbounty/security/advisories/GHSA-cvm3-pp2j-chr3
- https://grafana.com/security/security-advisories/cve-2023-2183/
- https://security.netapp.com/advisory/ntap-20230706-0002/
- https://access.redhat.com/security/cve/CVE-2023-2183
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2214616
- https://access.redhat.com/errata/RHSA-2023:7740
- https://access.redhat.com/errata/RHSA-2023:7741
- https://bugzilla.redhat.com/show_bug.cgi?id=2210848
Frequently Asked Questions
What is CVE-2023-2183?
CVE-2023-2183 is a vulnerability in the Grafana open-source platform that allows users with the Viewer role to send test alerts using the API, bypassing the UI restrictions.
How severe is CVE-2023-2183?
CVE-2023-2183 has a severity rating of 6.4, which is considered medium.
Which versions of Grafana are affected by CVE-2023-2183?
Versions 8.0.0 to 8.5.26, 9.0.0 to 9.2.19, 9.3.0 to 9.3.15, 9.4.0 to 9.4.12, and 9.5.0 to 9.5.3 of Grafana are affected by CVE-2023-2183.
How can I fix the CVE-2023-2183 vulnerability?
To fix the CVE-2023-2183 vulnerability, it is recommended to upgrade your Grafana installation to a version that is not affected by the vulnerability.
Where can I find more information about CVE-2023-2183?
You can find more information about CVE-2023-2183 in the following references: [1] [2] [3].
- agent/weakness
- agent/type
- agent/first-publish-date
- agent/references
- agent/author
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2023-2183
- agent/software-canonical-lookup
- agent/severity
- agent/event
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/source
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/softwarecombine
- agent/tags
- collector/nvd-api
- source/NVD
- package-manager/redhat
- vendor/grafana
- canonical/grafana labs grafana oss and enterprise
- version/grafana labs grafana oss and enterprise/8.0.0
- version/grafana labs grafana oss and enterprise/9.0.0
- version/grafana labs grafana oss and enterprise/9.3.0
- version/grafana labs grafana oss and enterprise/9.4.0
- version/grafana labs grafana oss and enterprise/9.5.0