CVE-2023-2183 – grafana: missing access control allows test alerts by underprivileged user
https://notcve.org/view.php?id=CVE-2023-2183
Grafana is an open-source platform for monitoring and observability. The option to send a test alert is not available from the user panel UI for users having the Viewer role. It is still possible for a user with the Viewer role to send a test alert using the API as the API does not check access to this function. This might enable malicious users to abuse the functionality by sending multiple alert messages to e-mail and Slack, spamming users, prepare Phishing attack or block SMTP server. Users may upgrade to version 9.5.3, 9.4.12, 9.3.15, 9.2.19 and 8.5.26 to receive a fix. A flaw was found in grafana. This issue may allow a malicious user to craft a request to the API that enables them to send alert messages via the "API Alert - Test". • https://github.com/grafana/bugbounty/security/advisories/GHSA-cvm3-pp2j-chr3 https://grafana.com/security/security-advisories/cve-2023-2183 https://security.netapp.com/advisory/ntap-20230706-0002 https://access.redhat.com/security/cve/CVE-2023-2183 https://bugzilla.redhat.com/show_bug.cgi?id=2210848 • CWE-284: Improper Access Control CWE-862: Missing Authorization •
CVE-2023-2801 – grafana: data source proxy race condition
https://notcve.org/view.php?id=CVE-2023-2801
Grafana is an open-source platform for monitoring and observability. Using public dashboards users can query multiple distinct data sources using mixed queries. However such query has a possibility of crashing a Grafana instance. The only feature that uses mixed queries at the moment is public dashboards, but it's also possible to cause this by calling the query API directly. This might enable malicious users to crash Grafana instances through that endpoint. Users may upgrade to version 9.4.12 and 9.5.3 to receive a fix. A flaw was found in grafana. This issue occurs when sending an API call to the /ds/query or public dashboard query endpoint that has mixed queries, such as having two or more distinct data sources in one API call. As a result, the Grafana instance will crash. • https://grafana.com/security/security-advisories/cve-2023-2801 https://security.netapp.com/advisory/ntap-20230706-0002 https://access.redhat.com/security/cve/CVE-2023-2801 https://bugzilla.redhat.com/show_bug.cgi?id=2210840 • CWE-662: Improper Synchronization CWE-820: Missing Synchronization •
CVE-2023-34111 – Command Injection Vulnerability in `Release PR Merged` Workflow in taosdata/grafanaplugin
https://notcve.org/view.php?id=CVE-2023-34111
The `Release PR Merged` workflow in the github repo taosdata/grafanaplugin is subject to a command injection vulnerability which allows for arbitrary code execution within the github action context due to the insecure usage of `${{ github.event.pull_request.title }}` in a bash command within the GitHub workflow. Attackers can inject malicious commands which will be executed by the workflow. This happens because `${{ github.event.pull_request.title }}` is directly passed to bash command on like 25 of the workflow. This may allow an attacker to gain access to secrets which the github action has access to or to otherwise make use of the compute resources. • https://github.com/taosdata/grafanaplugin/blob/master/.github/workflows/release-pr-merged.yaml#L25 https://github.com/taosdata/grafanaplugin/security/advisories/GHSA-23wp-p848-hcgr https://securitylab.github.com/research/github-actions-untrusted-input • CWE-20: Improper Input Validation CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVE-2023-1387 – grafana: JWT token leak to data source
https://notcve.org/view.php?id=CVE-2023-1387
Grafana is an open-source platform for monitoring and observability. Starting with the 9.1 branch, Grafana introduced the ability to search for a JWT in the URL query parameter auth_token and use it as the authentication token. By enabling the "url_login" configuration option (disabled by default), a JWT might be sent to data sources. If an attacker has access to the data source, the leaked token could be used to authenticate to Grafana. A flaw was found in Grafana. This flaw allows a remote, authenticated attacker to obtain sensitive information caused by an issue when enabling the "url_login" configuration option. By sending a specially crafted request, an attacker can obtain JWT information and use this to launch further attacks against the affected system. • https://github.com/grafana/bugbounty/security/advisories/GHSA-5585-m9r5-p86j https://grafana.com/security/security-advisories/cve-2023-1387 https://security.netapp.com/advisory/ntap-20230609-0003 https://access.redhat.com/security/cve/CVE-2023-1387 https://bugzilla.redhat.com/show_bug.cgi?id=2186322 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2023-1410 – Stored XSS in Graphite FunctionDescription tooltip
https://notcve.org/view.php?id=CVE-2023-1410
Grafana is an open-source platform for monitoring and observability. Grafana had a stored XSS vulnerability in the Graphite FunctionDescription tooltip. The stored XSS vulnerability was possible due the value of the Function Description was not properly sanitized. An attacker needs to have control over the Graphite data source in order to manipulate a function description and a Grafana admin needs to configure the data source, later a Grafana user needs to select a tampered function and hover over the description. Users may upgrade to version 8.5.22, 9.2.15 and 9.3.11 to receive a fix. A flaw was found in Grafana. This flaw allows an attacker to host a Graphite instance with modified Function Descriptions containing XSS payloads. When the victim uses it in a query and accidentally hovers over the Function Description, an attacker-controlled XSS payload will be executed. • https://github.com/grafana/bugbounty/security/advisories/GHSA-qrrg-gw7w-vp76 https://grafana.com/security/security-advisories/cve-2023-1410 https://security.netapp.com/advisory/ntap-20230420-0003 https://access.redhat.com/security/cve/CVE-2023-1410 https://bugzilla.redhat.com/show_bug.cgi?id=2181117 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •