Grafana Enterprise Datasource Network Restrictions Bypass (CVE-2023-4399)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(186028);
  script_version("1.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/02/16");

  script_cve_id("CVE-2023-4399");
  script_xref(name:"IAVB", value:"2023-B-0087-S");

  script_name(english:"Grafana Enterprise Datasource Network Restrictions Bypass (CVE-2023-4399)");

  script_set_attribute(attribute:"synopsis", value:
"The web application running on the remote web server is affected by a restriction bypass vulnerability.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version number, the version of Grafana Enterprise running on the remote 
host is a version 9.4.x prior to 9.4.17, 9.5.x prior to 9.5.13, 10.0.x prior to 10.0.9 or 10.1.x prior to 
10.1.5. It is, therefore, affected by a restriction bypass vulnerability.  In Grafana Enterprise, 
Request security is a deny list that allows admins to configure Grafana in a way so that the instance 
does not call specific hosts. However, the restriction can be bypassed used punycode encoding of the 
characters in the request address.
 
Note that Nessus has not tested for these issues but has instead relied only on the application's 
self-reported version number.");
  # https://grafana.com/security/security-advisories/cve-2023-4399
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?6d6b9724");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Grafana 9.4.17, 9.5.13, 10.0.9, 10.1.5 or later");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:M/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-4399");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2023/10/12");
  script_set_attribute(attribute:"patch_publication_date", value:"2023/10/12");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/11/21");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:grafana:grafana");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Web Servers");

  script_copyright(english:"This script is Copyright (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("grafana_labs_detect.nbin");
  script_require_keys("installed_sw/Grafana Labs");
  script_require_ports("Services/www", 3000);

  exit(0);
}
include('vcf.inc');
include("http.inc");

var port = get_http_port(default:3000);

var app_info = vcf::get_app_info(app:'Grafana Labs', port:port, webapp:TRUE);

# If there's no edition information only flag if paranoid
if ((empty_or_null(app_info.Edition) && report_paranoia < 2) || app_info.Edition != 'Enterprise')
  vcf::audit(app_info);

var constraints = [
  { 'min_version' : '9.4.0', 'fixed_version' : '9.4.17' },
  { 'min_version' : '9.5.0', 'fixed_version' : '9.5.13' },
  { 'min_version' : '10.0.0', 'fixed_version' : '10.0.9' },
  { 'min_version' : '10.1.0', 'fixed_version' : '10.1.5' }
];

vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);