CVSS: 9.8EPSS: 0%CPEs: 10EXPL: 0CVE-2023-3128 – grafana: account takeover possible when using Azure AD OAuth
https://notcve.org/view.php?id=CVE-2023-3128
Grafana is validating Azure AD accounts based on the email claim. On Azure AD, the profile email field is not unique and can be easily modified. This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app. A flaw was found in Grafana, which validates Azure AD accounts based on the email claim. On Azure AD, the profile email field is not unique across Azure AD tenants, which enables Grafana account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant AzureAD OAuth application. This may allow an attacker to gain complete control of the user's account, including access to private customer data and sensitive information. • https://github.com/grafana/bugbounty/security/advisories/GHSA-gxh2-6vvc-rrgp https://grafana.com/security/security-advisories/cve-2023-3128 https://security.netapp.com/advisory/ntap-20230714-0004 https://access.redhat.com/security/cve/CVE-2023-3128 https://bugzilla.redhat.com/show_bug.cgi?id=2213626 • CWE-290: Authentication Bypass by Spoofing CWE-305: Authentication Bypass by Primary Weakness •
CVSS: 6.4EPSS: 0%CPEs: 5EXPL: 1CVE-2023-2183 – grafana: missing access control allows test alerts by underprivileged user
https://notcve.org/view.php?id=CVE-2023-2183
Grafana is an open-source platform for monitoring and observability. The option to send a test alert is not available from the user panel UI for users having the Viewer role. It is still possible for a user with the Viewer role to send a test alert using the API as the API does not check access to this function. This might enable malicious users to abuse the functionality by sending multiple alert messages to e-mail and Slack, spamming users, prepare Phishing attack or block SMTP server. Users may upgrade to version 9.5.3, 9.4.12, 9.3.15, 9.2.19 and 8.5.26 to receive a fix. A flaw was found in grafana. This issue may allow a malicious user to craft a request to the API that enables them to send alert messages via the "API Alert - Test". • https://github.com/grafana/bugbounty/security/advisories/GHSA-cvm3-pp2j-chr3 https://grafana.com/security/security-advisories/cve-2023-2183 https://security.netapp.com/advisory/ntap-20230706-0002 https://access.redhat.com/security/cve/CVE-2023-2183 https://bugzilla.redhat.com/show_bug.cgi?id=2210848 • CWE-284: Improper Access Control CWE-862: Missing Authorization •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2023-2801 – grafana: data source proxy race condition
https://notcve.org/view.php?id=CVE-2023-2801
Grafana is an open-source platform for monitoring and observability. Using public dashboards users can query multiple distinct data sources using mixed queries. However such query has a possibility of crashing a Grafana instance. The only feature that uses mixed queries at the moment is public dashboards, but it's also possible to cause this by calling the query API directly. This might enable malicious users to crash Grafana instances through that endpoint. Users may upgrade to version 9.4.12 and 9.5.3 to receive a fix. A flaw was found in grafana. This issue occurs when sending an API call to the /ds/query or public dashboard query endpoint that has mixed queries, such as having two or more distinct data sources in one API call. As a result, the Grafana instance will crash. • https://grafana.com/security/security-advisories/cve-2023-2801 https://security.netapp.com/advisory/ntap-20230706-0002 https://access.redhat.com/security/cve/CVE-2023-2801 https://bugzilla.redhat.com/show_bug.cgi?id=2210840 • CWE-662: Improper Synchronization CWE-820: Missing Synchronization •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 2CVE-2023-34111 – Command Injection Vulnerability in `Release PR Merged` Workflow in taosdata/grafanaplugin
https://notcve.org/view.php?id=CVE-2023-34111
The `Release PR Merged` workflow in the github repo taosdata/grafanaplugin is subject to a command injection vulnerability which allows for arbitrary code execution within the github action context due to the insecure usage of `${{ github.event.pull_request.title }}` in a bash command within the GitHub workflow. Attackers can inject malicious commands which will be executed by the workflow. This happens because `${{ github.event.pull_request.title }}` is directly passed to bash command on like 25 of the workflow. This may allow an attacker to gain access to secrets which the github action has access to or to otherwise make use of the compute resources. • https://github.com/taosdata/grafanaplugin/blob/master/.github/workflows/release-pr-merged.yaml#L25 https://github.com/taosdata/grafanaplugin/security/advisories/GHSA-23wp-p848-hcgr https://securitylab.github.com/research/github-actions-untrusted-input • CWE-20: Improper Input Validation CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •