5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
7.1 High
AI Score
Confidence
Low
0.0004 Low
EPSS
Percentile
9.1%
Grafana Labs reports:
The vulnerability impacts instances where
Grafana basic authentication is enabled.
Grafana has a
verify_email_enabled configuration option. When this option is enabled,
users are required to confirm their email addresses before the sign-up process
is complete. However, the email is only checked at the time of the sign-up.
No further verification is carried out if a userβs email address is updated
after the initial sign-up. Moreover, Grafana allows using an email address
as the userβs login name, and no verification is ever carried out for this email
address.
This means that even if the
verify_email_enabled configuration option is enabled, users can use
unverified email addresses to log into Grafana if the email address
has been changed after the sign up, or if an email address is set as the login
name.
The CVSS score for this vulnerability is [5.4 Medium] (CVSS).
5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
7.1 High
AI Score
Confidence
Low
0.0004 Low
EPSS
Percentile
9.1%