CVE-2023-4822 – grafana: incorrect assessment of permissions across organizations
https://notcve.org/view.php?id=CVE-2023-4822
Grafana is an open-source platform for monitoring and observability. The vulnerability impacts Grafana instances with several organizations, and allows a user with Organization Admin permissions in one organization to change the permissions associated with Organization Viewer, Organization Editor and Organization Admin roles in all organizations. It also allows an Organization Admin to assign or revoke any permissions that they have to any user globally. This means that any Organization Admin can elevate their own permissions in any organization that they are already a member of, or elevate or restrict the permissions of any other user. The vulnerability does not allow a user to become a member of an organization that they are not already a member of, or to add any other users to an organization that the current user is not a member of. Grafana es una plataforma de código abierto para monitorización y observabilidad. La vulnerabilidad afecta las instancias de Grafana con varias organizaciones y permite a un usuario con permisos de Organization Admin en una organización cambiar los permisos asociados con los roles de Organization Viewer, Organization Editor and Organization Admin en todas las organizaciones. También permite que un Organization Admin asigne o revoque cualquier permiso que tenga para cualquier usuario a nivel mundial. • https://grafana.com/security/security-advisories/cve-2023-4822 https://security.netapp.com/advisory/ntap-20231103-0008 https://access.redhat.com/security/cve/CVE-2023-4822 https://bugzilla.redhat.com/show_bug.cgi?id=2239726 • CWE-269: Improper Privilege Management •
CVE-2023-34111 – Command Injection Vulnerability in `Release PR Merged` Workflow in taosdata/grafanaplugin
https://notcve.org/view.php?id=CVE-2023-34111
The `Release PR Merged` workflow in the github repo taosdata/grafanaplugin is subject to a command injection vulnerability which allows for arbitrary code execution within the github action context due to the insecure usage of `${{ github.event.pull_request.title }}` in a bash command within the GitHub workflow. Attackers can inject malicious commands which will be executed by the workflow. This happens because `${{ github.event.pull_request.title }}` is directly passed to bash command on like 25 of the workflow. This may allow an attacker to gain access to secrets which the github action has access to or to otherwise make use of the compute resources. • https://github.com/taosdata/grafanaplugin/blob/master/.github/workflows/release-pr-merged.yaml#L25 https://github.com/taosdata/grafanaplugin/security/advisories/GHSA-23wp-p848-hcgr https://securitylab.github.com/research/github-actions-untrusted-input • CWE-20: Improper Input Validation CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •