CVE-2023-2183
First published: Mon May 29 2023(Updated: )
Grafana is an open-source platform for monitoring and observability. The option to send a test alert is not available from the user panel UI for users having the Viewer role. It is still possible for a user with the Viewer role to send a test alert using the API as the API does not check access to this function. This might enable malicious users to abuse the functionality by sending multiple alert messages to e-mail and Slack, spamming users, prepare Phishing attack or block SMTP server. Users may upgrade to version 9.5.3, 9.4.12, 9.3.15, 9.2.19 and 8.5.26 to receive a fix.
Credit: security@grafana.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Grafana Grafana | >=8.0.0<8.5.26 | |
| Grafana Grafana | >=9.0.0<9.2.19 | |
| Grafana Grafana | >=9.3.0<9.3.15 | |
| Grafana Grafana | >=9.4.0<9.4.12 | |
| Grafana Grafana | >=9.5.0<9.5.3 | |
| redhat/grafana | <9.5.3 | 9.5.3 |
| redhat/grafana | <9.4.12 | 9.4.12 |
| redhat/grafana | <9.3.15 | 9.3.15 |
| redhat/grafana | <9.2.19 | 9.2.19 |
| redhat/grafana | <8.5.26 | 8.5.26 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/grafana/bugbounty/security/advisories/GHSA-cvm3-pp2j-chr3
- https://grafana.com/security/security-advisories/cve-2023-2183/
- https://security.netapp.com/advisory/ntap-20230706-0002/
- https://access.redhat.com/security/cve/CVE-2023-2183
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2214616
- https://access.redhat.com/errata/RHSA-2023:7740
- https://access.redhat.com/errata/RHSA-2023:7741
- https://bugzilla.redhat.com/show_bug.cgi?id=2210848
Frequently Asked Questions
What is CVE-2023-2183?
CVE-2023-2183 is a vulnerability in the Grafana open-source platform that allows users with the Viewer role to send test alerts using the API, bypassing the UI restrictions.
How severe is CVE-2023-2183?
CVE-2023-2183 has a severity rating of 6.4, which is considered medium.
Which versions of Grafana are affected by CVE-2023-2183?
Versions 8.0.0 to 8.5.26, 9.0.0 to 9.2.19, 9.3.0 to 9.3.15, 9.4.0 to 9.4.12, and 9.5.0 to 9.5.3 of Grafana are affected by CVE-2023-2183.
How can I fix the CVE-2023-2183 vulnerability?
To fix the CVE-2023-2183 vulnerability, it is recommended to upgrade your Grafana installation to a version that is not affected by the vulnerability.
Where can I find more information about CVE-2023-2183?
You can find more information about CVE-2023-2183 in the following references: [1] [2] [3].
- collector/nvd-index
- agent/weakness
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- agent/references
- agent/author
- agent/severity
- agent/description
- agent/tags
- agent/event
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2023-2183
- agent/software-canonical-lookup
- agent/last-modified-date
- collector/mitre-cve
- source/MITRE
- vendor/grafana
- canonical/grafana grafana
- version/grafana grafana/8.0.0
- version/grafana grafana/9.0.0
- version/grafana grafana/9.3.0
- version/grafana grafana/9.4.0
- version/grafana grafana/9.5.0
- package-manager/redhat