FreshPorts - VuXML

Grafana Labs reports:

The vulnerability impacts Grafana Cloud and Grafana Enterprise instances, and it is exploitable if a user who should not be able to access all data sources is granted permissions to create a data source.

By default, only organization Administrators are allowed to create a data source and have full access to all data sources. All other users need to be explicitly granted permission to create a data source, which then means they could exploit this vulnerability.

When a user creates a data source via the API, they can specify data source UID. If the UID is set to an asterisk (*), the user gains permissions to query, update, and delete all data sources in the organization. The exploit, however, does not stretch across organizations — to exploit the vulnerability in several organizations, a user would need permissions to create data sources in each organization.

The vulnerability comes from a lack of UID validation. When evaluating permissions, we interpret an asterisk (*) as a wild card for all resources. Therefore, we should treat it as a reserved value, and not allow the creation of a resource with the UID set to an asterisk.

The CVSS score for this vulnerability is 6 Medium.

ge 8.5.0 lt 9.5.17

ge 10.0.0 lt 10.0.12

ge 10.1.0 lt 10.1.8

ge 10.2.0 lt 10.2.5

ge 10.3.0 lt 10.3.4

< 9.5.17

Grafana Labs reports:

We have discovered a vulnerability with Grafana’s data source query endpoints that could end up crashing a Grafana instance.

If you have public dashboards (PD) enabled, we are scoring this as a CVSS 7.5 High.

If you have disabled PD, this vulnerability is still a risk, but triggering the issue requires data source read privileges and access to the Grafana API through a developer script.

ge 9.4.0 lt 9.4.12

ge 9.5.0 lt 9.5.3

ge 9.4.0 lt 9.4.12

ge 9.5.0 lt 9.5.3

Grafana Labs reports:

Grafana can allow an attacker in the Viewer role to send alerts by API Alert - Test. This option, however, is not available in the user panel UI for the Viewer role.

The CVSS score for this vulnerability is 4.1 Medium (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N).

ge 8.0.0 lt 8.5.26

ge 9.0.0 lt 9.2.19

ge 9.3.0 lt 9.3.15

ge 9.4.0 lt 9.4.12

ge 9.5.0 lt 9.5.3

ge 8.0.0 lt 8.5.26

< 9.2.19

ge 9.3.0 lt 9.3.15

ge 9.4.0 lt 9.4.12

ge 9.5.0 lt 9.5.3

Grafana Labs reports:

The vulnerability impacts instances where Grafana basic authentication is enabled.

Grafana has a verify_email_enabled configuration option. When this option is enabled, users are required to confirm their email addresses before the sign-up process is complete. However, the email is only checked at the time of the sign-up. No further verification is carried out if a user’s email address is updated after the initial sign-up. Moreover, Grafana allows using an email address as the user’s login name, and no verification is ever carried out for this email address.

This means that even if the verify_email_enabled configuration option is enabled, users can use unverified email addresses to log into Grafana if the email address has been changed after the sign up, or if an email address is set as the login name.

The CVSS score for this vulnerability is [5.4 Medium] (CVSS).

< 9.5.16

ge 10.0.0 lt 10.0.11

ge 10.1.0 lt 10.1.7

ge 10.2.0 lt 10.2.4

ge 10.3.0 lt 10.3.3

< 9.5.16

< 10.0.11

ge 10.1.0 lt 10.1.7

ge 10.2.0 lt 10.2.4

ge 10.3.0 lt 10.3.3

Grafana Labs reports:

Grafana validates Azure Active Directory accounts based on the email claim. On Azure AD, the profile email field is not unique across Azure AD tenants. This can enable a Grafana account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant Azure AD OAuth application.

The CVSS score for this vulnerability is 9.4 Critical.

ge 6.7.0 lt 8.5.27

ge 9.0.0 lt 9.2.20

ge 9.3.0 lt 9.3.16

ge 9.4.0 lt 9.4.13

ge 9.5.0 lt 9.5.5

ge 10.0.0 lt 10.0.1

< 8.5.27

< 9.2.20

ge 9.3.0 lt 9.3.16

ge 9.4.0 lt 9.4.13

ge 9.5.0 lt 9.5.5

< 10.0.1