=====================================================================

                               CERT-Renater

                    Note d'Information No. 2023/VULN220

_____________________________________________________________________

DATE                : 14/06/2023

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Grafana versions prior to 9.5.3,
                             9.4.12, 9.3.15, 9.2.19, 8.5.26.

=====================================================================
https://grafana.com/security/security-advisories/cve-2023-2183/
_____________________________________________________________________

Broken Access Control in Alert manager: Viewer can send test alerts

CVE ID: CVE-2023-2183
Date Published: 2023-06-06


Description:

Grafana is an open-source platform for monitoring and observability.
The option to send a test alert is not available from the user panel
UI for users having the Viewer role. It is still possible for a user
with the Viewer role to send a test alert using the API as the API
does not check access to this function. This might enable malicious
users to abuse the functionality by sending multiple alert messages
to e-mail and Slack, spamming users, prepare Phishing attack or
block SMTP server. Users may upgrade to version 9.5.3, 9.4.12,
9.3.15, 9.2.19 and 8.5.26 to receive a fix.

=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================