CVSS: 7.2EPSS: 0%CPEs: 4EXPL: 0CVE-2023-4399
https://notcve.org/view.php?id=CVE-2023-4399
Grafana is an open-source platform for monitoring and observability. In Grafana Enterprise, Request security is a deny list that allows admins to configure Grafana in a way so that the instance doesn’t call specific hosts. However, the restriction can be bypassed used punycode encoding of the characters in the request address. Grafana es una plataforma de código abierto para monitorización y observabilidad. En Grafana Enterprise, la seguridad de solicitudes es una lista de denegación que permite a los administradores configurar Grafana de manera que la instancia no llame a hosts específicos. Sin embargo, la restricción se puede eludir utilizando la codificaciówn punycode de los caracteres en la dirección de solicitud. • https://grafana.com/security/security-advisories/cve-2023-4399 https://security.netapp.com/advisory/ntap-20231208-0003 • CWE-183: Permissive List of Allowed Inputs •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-4457
https://notcve.org/view.php?id=CVE-2023-4457
Grafana is an open-source platform for monitoring and observability. The Google Sheets data source plugin for Grafana, versions 0.9.0 to 1.2.2 are vulnerable to an information disclosure vulnerability. The plugin did not properly sanitize error messages, making it potentially expose the Google Sheet API-key that is configured for the data source. This vulnerability was fixed in version 1.2.2. Grafana es una plataforma de código abierto para monitorización y observabilidad. El complemento de fuente de datos de Google Sheets para Grafana, versiones 0.9.0 a 1.2.2, son afectados por a una vulnerabilidad de divulgación de información. El complemento no sanitizo adecuadamente los mensajes de error, lo que potencialmente expuso la clave API de Google Sheet que está configurada para la fuente de datos. Esta vulnerabilidad se solucionó en la versión 1.2.2. • https://grafana.com/security/security-advisories/cve-2023-4457 • CWE-209: Generation of Error Message Containing Sensitive Information •
CVSS: 7.2EPSS: 0%CPEs: 4EXPL: 0CVE-2023-4822 – grafana: incorrect assessment of permissions across organizations
https://notcve.org/view.php?id=CVE-2023-4822
Grafana is an open-source platform for monitoring and observability. The vulnerability impacts Grafana instances with several organizations, and allows a user with Organization Admin permissions in one organization to change the permissions associated with Organization Viewer, Organization Editor and Organization Admin roles in all organizations. It also allows an Organization Admin to assign or revoke any permissions that they have to any user globally. This means that any Organization Admin can elevate their own permissions in any organization that they are already a member of, or elevate or restrict the permissions of any other user. The vulnerability does not allow a user to become a member of an organization that they are not already a member of, or to add any other users to an organization that the current user is not a member of. Grafana es una plataforma de código abierto para monitorización y observabilidad. La vulnerabilidad afecta las instancias de Grafana con varias organizaciones y permite a un usuario con permisos de Organization Admin en una organización cambiar los permisos asociados con los roles de Organization Viewer, Organization Editor and Organization Admin en todas las organizaciones. También permite que un Organization Admin asigne o revoque cualquier permiso que tenga para cualquier usuario a nivel mundial. • https://grafana.com/security/security-advisories/cve-2023-4822 https://security.netapp.com/advisory/ntap-20231103-0008 https://access.redhat.com/security/cve/CVE-2023-4822 https://bugzilla.redhat.com/show_bug.cgi?id=2239726 • CWE-269: Improper Privilege Management •
CVSS: 9.8EPSS: 0%CPEs: 10EXPL: 0CVE-2023-3128 – grafana: account takeover possible when using Azure AD OAuth
https://notcve.org/view.php?id=CVE-2023-3128
Grafana is validating Azure AD accounts based on the email claim. On Azure AD, the profile email field is not unique and can be easily modified. This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app. A flaw was found in Grafana, which validates Azure AD accounts based on the email claim. On Azure AD, the profile email field is not unique across Azure AD tenants, which enables Grafana account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant AzureAD OAuth application. This may allow an attacker to gain complete control of the user's account, including access to private customer data and sensitive information. • https://github.com/grafana/bugbounty/security/advisories/GHSA-gxh2-6vvc-rrgp https://grafana.com/security/security-advisories/cve-2023-3128 https://security.netapp.com/advisory/ntap-20230714-0004 https://access.redhat.com/security/cve/CVE-2023-3128 https://bugzilla.redhat.com/show_bug.cgi?id=2213626 • CWE-290: Authentication Bypass by Spoofing CWE-305: Authentication Bypass by Primary Weakness •
CVSS: 6.4EPSS: 0%CPEs: 5EXPL: 1CVE-2023-2183 – grafana: missing access control allows test alerts by underprivileged user
https://notcve.org/view.php?id=CVE-2023-2183
Grafana is an open-source platform for monitoring and observability. The option to send a test alert is not available from the user panel UI for users having the Viewer role. It is still possible for a user with the Viewer role to send a test alert using the API as the API does not check access to this function. This might enable malicious users to abuse the functionality by sending multiple alert messages to e-mail and Slack, spamming users, prepare Phishing attack or block SMTP server. Users may upgrade to version 9.5.3, 9.4.12, 9.3.15, 9.2.19 and 8.5.26 to receive a fix. A flaw was found in grafana. This issue may allow a malicious user to craft a request to the API that enables them to send alert messages via the "API Alert - Test". • https://github.com/grafana/bugbounty/security/advisories/GHSA-cvm3-pp2j-chr3 https://grafana.com/security/security-advisories/cve-2023-2183 https://security.netapp.com/advisory/ntap-20230706-0002 https://access.redhat.com/security/cve/CVE-2023-2183 https://bugzilla.redhat.com/show_bug.cgi?id=2210848 • CWE-284: Improper Access Control CWE-862: Missing Authorization •