#VU89210 Incorrect authorization in Grafana - CVE-2023-6152

Vulnerability identifier: #VU89210

Vulnerability risk: Low

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2023-6152

CWE-ID: CWE-863

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Grafana
Web applications / Other software

Vendor: Grafana Labs

Description

The vulnerability allows a remote attacker to bypass email verification.

The vulnerability exists due to email addresses are verified only during sign up, if "verify_email_enabled" option is set. A remote attacker can register an account and then set an arbitrary email address without verification.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Grafana: 2.5.0, 2.6.0 beta1 - 2.6.0, 3.0 beta1 - 3.0.4, 3.1.0 beta1 - 3.1.1, 4.0.0 beta1 - 4.0.2, 4.1.0 beta1 - 4.1.2, 4.2.0 beta1 - 4.2.0, 4.3.0 beta1 - 4.3.2, 4.4.0 - 4.4.3, 4.5.0 beta1 - 4.5.2, 4.6.0 beta1 - 4.6.5, 5.0.0 beta1 - 5.0.4, 5.1.0 beta1 - 5.1.5, 5.2.0 beta1 - 5.2.5, 5.3.0 beta1 - 5.3.4, 5.4.0 - 5.4.5, 6.0.0 - 6.0.2, 6.1.0 - 6.1.6, 6.2.0 - 6.2.5, 6.3.0 - 6.3.7, 6.4.0 - 6.4.5, 6.5 - 6.5.3, 6.6.0 - 6.6.2, 6.7.0 - 6.7.6, 7.0.0 - 7.0.6, 7.1.0 - 7.1.5, 7.2.0 - 7.2.3, 7.3.0 - 7.3.10, 7.4.0 - 7.4.5, 7.5.0 - 7.5.17, 8.0.0 - 8.0.7, 8.1.0 - 8.1.8, 8.2.0 - 8.2.7, 8.3.0 - 8.3.11, 8.4.0 - 8.4.11, 8.5.0 - 8.5.27, 9.0.0 - 9.0.9, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.1.8, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.2.5, 9.2.6, 9.2.7, 9.2.8, 9.2.10, 9.2.13, 9.2.15, 9.2.17, 9.2.18, 9.2.19, 9.2.20, 9.3.0, 9.3.1, 9.3.2, 9.3.4, 9.3.6, 9.3.8, 9.3.11, 9.3.13, 9.3.14, 9.3.15, 9.3.16, 9.4.0, 9.4.1, 9.4.2, 9.4.3, 9.4.7, 9.4.9, 9.4.10, 9.4.12, 9.4.13, 9.4.14, 9.4.15, 9.4.17, 9.5.0 - 9.5.15, 10.0.0 - 10.0.10, 10.1.0 - 10.1.6, 10.2.0 - 10.2.3, 10.3.0 - 10.3.1

---

External links
https://grafana.com/security/security-advisories/cve-2023-6152/
https://github.com/grafana/bugbounty/security/advisories/GHSA-3hv4-r2fm-h27f

---

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.