Grafana 8.x < 9.4.17, 9.5.x < 9.5.13, 9.6.x < 10.0.9, 10.1.x < 10.1.5 Cross-Organization Permission Escalation Vulnerability

2023-10-1600:00:00

plugins.openvas.org

grafana

cross-organization

permission escalation

vulnerability

cvss

cve-2023-4822

rbac

update

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

9.4 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

19.1%

JSON

Grafana is prone to a cross-organization permission escalation
by an organization administrator vulnerability.

# SPDX-FileCopyrightText: 2023 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only

CPE = "cpe:/a:grafana:grafana";

if (description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.170605");
  script_version("2023-10-24T05:06:28+0000");
  script_tag(name:"last_modification", value:"2023-10-24 05:06:28 +0000 (Tue, 24 Oct 2023)");
  script_tag(name:"creation_date", value:"2023-10-16 14:33:28 +0000 (Mon, 16 Oct 2023)");
  script_tag(name:"cvss_base", value:"8.3");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:M/C:C/I:C/A:C");
  script_tag(name:"severity_vector", value:"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H");
  script_tag(name:"severity_origin", value:"NVD");
  script_tag(name:"severity_date", value:"2023-10-20 18:30:00 +0000 (Fri, 20 Oct 2023)");

  script_cve_id("CVE-2023-4822");

  script_tag(name:"qod_type", value:"remote_banner_unreliable"); # nb: affects only instances with more than one organisation, and with RBAC enabled (prior to 10.0.0)

  script_tag(name:"solution_type", value:"VendorFix");

  script_name("Grafana 8.x < 9.4.17, 9.5.x < 9.5.13, 9.6.x < 10.0.9, 10.1.x < 10.1.5 Cross-Organization Permission Escalation Vulnerability");

  script_category(ACT_GATHER_INFO);

  script_copyright("Copyright (C) 2023 Greenbone AG");
  script_family("Web application abuses");
  script_dependencies("gb_grafana_http_detect.nasl");
  script_mandatory_keys("grafana/detected");

  script_tag(name:"summary", value:"Grafana is prone to a cross-organization permission escalation
  by an organization administrator vulnerability.");

  script_tag(name:"vuldetect", value:"Checks if a vulnerable version is present on the target host.");

  script_tag(name:"insight", value:"Vulnerable versions of Grafana are incorrectly assessing
  permissions to update cross-organization roles and role assignments. Therefore users with
  administrator permissions in one organization can change cross-organization role permissions and
  cross-organization role assignments.

  This vulnerability impacts instances with more than one organization running Grafana Enterprise
  versions.

  No Grafana Cloud instances are impacted because the platform is limited to a single organization.");

  script_tag(name:"impact", value:"If exploited, an attacker who has the Organization Admin role in
  any organization can elevate their permissions across all organizations, elevate other users'
  permissions in all organizations, or limit other users' permissions in all organizations.

  The vulnerability, however, does not allow the attacker to become a member of an organization that
  they are not already a member of, nor can they add any other user to an organization that the
  attacker is not a member of already.");

  script_tag(name:"affected", value:"Grafana version 8.x prior to 9.4.17, 9.5.x prior to 9.5.13,
  9.6.x prior to 10.0.9 and 10.1.x prior to 10.1.5.

  Versions between 8.0.0 and 10.0.0 are only vulnerable if role-based access control (RBAC) is
  enabled.");

  script_tag(name:"solution", value:"Update to version 9.4.17, 9.5.13, 10.0.9, 10.1.5 or later.");

  script_xref(name:"URL", value:"https://grafana.com/blog/2023/10/13/grafana-security-release-new-versions-of-grafana-with-a-medium-severity-security-fix-for-cve-2023-4822/");

  exit(0);
}

include("host_details.inc");
include("version_func.inc");

if (!port = get_app_port(cpe: CPE))
  exit(0);

if (!infos = get_app_version_and_location(cpe: CPE, port: port, exit_no_version: TRUE))
  exit(0);

version = infos["version"];
location = infos["location"];

if (version_in_range_exclusive(version: version, test_version_lo: "8.0.0", test_version_up: "9.4.17")) {
  report = report_fixed_ver(installed_version: version, fixed_version: "9.4.17", install_path: location);
  security_message(port: port, data: report);
  exit(0);
}

if (version_in_range_exclusive(version: version, test_version_lo: "9.5.0", test_version_up: "9.5.13")) {
  report = report_fixed_ver(installed_version: version, fixed_version: "9.5.13", install_path: location);
  security_message(port: port, data: report);
  exit(0);
}

if (version_in_range_exclusive(version: version, test_version_lo: "9.6.0", test_version_up: "10.0.9")) {
  report = report_fixed_ver(installed_version: version, fixed_version: "10.0.9", install_path: location);
  security_message(port: port, data: report);
  exit(0);
}

if (version_in_range_exclusive(version: version, test_version_lo: "10.1.0", test_version_up: "10.1.5")) {
  report = report_fixed_ver(installed_version: version, fixed_version: "10.1.5", install_path: location);
  security_message(port: port, data: report);
  exit(0);
}


exit(0);