Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2023-4822

Опубликовано: 16 окт. 2023
Источник: nvd
CVSS3: 6.7
CVSS3: 7.2
EPSS Низкий

Описание

Grafana is an open-source platform for monitoring and observability. The vulnerability impacts Grafana instances with several organizations, and allows a user with Organization Admin permissions in one organization to change the permissions associated with Organization Viewer, Organization Editor and Organization Admin roles in all organizations.

It also allows an Organization Admin to assign or revoke any permissions that they have to any user globally.

This means that any Organization Admin can elevate their own permissions in any organization that they are already a member of, or elevate or restrict the permissions of any other user.

The vulnerability does not allow a user to become a member of an organization that they are not already a member of, or to add any other users to an organization that the current user is not a member of.

Ссылки

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:grafana:grafana:*:*:*:*:enterprise:*:*:*
Версия от 8.0.0 (включая) до 9.4.16 (исключая)
cpe:2.3:a:grafana:grafana:*:*:*:*:enterprise:*:*:*
Версия от 9.5.0 (включая) до 9.5.11 (исключая)
cpe:2.3:a:grafana:grafana:*:*:*:*:enterprise:*:*:*
Версия от 10.0.0 (включая) до 10.0.7 (исключая)
cpe:2.3:a:grafana:grafana:*:*:*:*:enterprise:*:*:*
Версия от 10.1.0 (включая) до 10.1.3 (исключая)
cpe:2.3:a:grafana:grafana:10.1.4:*:*:*:enterprise:*:*:*

EPSS

Процентиль: 67%
0.00545
Низкий

6.7 Medium

CVSS3

7.2 High

CVSS3

Дефекты

CWE-269
NVD-CWE-noinfo

Связанные уязвимости

ubuntu логотип

CVE-2023-4822

CVSS3: 6.7
ubuntu
больше 1 года назад

Grafana is an open-source platform for monitoring and observability. The vulnerability impacts Grafana instances with several organizations, and allows a user with Organization Admin permissions in one organization to change the permissions associated with Organization Viewer, Organization Editor and Organization Admin roles in all organizations. It also allows an Organization Admin to assign or revoke any permissions that they have to any user globally. This means that any Organization Admin can elevate their own permissions in any organization that they are already a member of, or elevate or restrict the permissions of any other user. The vulnerability does not allow a user to become a member of an organization that they are not already a member of, or to add any other users to an organization that the current user is not a member of.

redhat логотип

CVE-2023-4822

CVSS3: 6.7
redhat
больше 1 года назад

Grafana is an open-source platform for monitoring and observability. The vulnerability impacts Grafana instances with several organizations, and allows a user with Organization Admin permissions in one organization to change the permissions associated with Organization Viewer, Organization Editor and Organization Admin roles in all organizations. It also allows an Organization Admin to assign or revoke any permissions that they have to any user globally. This means that any Organization Admin can elevate their own permissions in any organization that they are already a member of, or elevate or restrict the permissions of any other user. The vulnerability does not allow a user to become a member of an organization that they are not already a member of, or to add any other users to an organization that the current user is not a member of.

debian логотип

CVE-2023-4822

CVSS3: 6.7
debian
больше 1 года назад

Grafana is an open-source platform for monitoring and observability. T ...

github логотип

GHSA-fw9c-75hh-89p6

CVSS3: 6.7
github
больше 1 года назад

Grafana privilege escalation vulnerability

fstec логотип

BDU:2024-02572

CVSS3: 7.2
fstec
больше 1 года назад

Уязвимость платформы для мониторинга и наблюдения Grafana, связанная с разрешительный список разрешенных входов, позволяющая нарушителю повысить свои привилегии

EPSS

Процентиль: 67%
0.00545
Низкий

6.7 Medium

CVSS3

7.2 High

CVSS3

Дефекты

CWE-269
NVD-CWE-noinfo