Grafana security release: Medium severity security fix for CVE-2023-6152
Today we are releasing Grafana 10.3.3, 10.2.4, 10.1.7, 10.0.11 and 9.5.16. These patch releases contain a fix for CVE-2023-6152, a medium severity security vulnerability in Grafana’s basic authentication system.
Release 10.3.3, latest release with the security patch:
Release 10.2.4 with the security patch:
Release 10.1.7 with the security patch:
Release 10.0.11 with the security patch:
Release 9.5.16 with the security patch:
Email verification bypass when using Grafana’s basic authentication (CVE-2023-6152)
Summary
The vulnerability impacts instances where Grafana basic authentication is enabled.
Grafana has a verify_email_enabled configuration option. When this option is enabled, users are required to confirm their email addresses before the sign-up process is complete. However, the email is only checked at the time of the sign-up. No further verification is carried out if a user’s email address is updated after the initial sign-up. Moreover, Grafana allows using an email address as the user’s login name, and no verification is ever carried out for this email address.
This means that even if the verify_email_enabled configuration option is enabled, users can use unverified email addresses to log into Grafana if the email address has been changed after the sign up, or if an email address is set as the login name.
The CVSS score for this vulnerability is [5.4 Medium] (CVSS).
Impact
The vulnerability allows bypassing email verification and might prevent legitimate owners of the email from signing up.
Impacted versions
The vulnerability impacts instances that use Grafana basic authentication and are running Grafana versions:
- Grafana 10.3.0 to Grafana 10.3.1
- Grafana 10.2.0 to Grafana 10.2.3
- Grafana 10.1.0 to Grafana 10.1.6
- Grafana 10.0.0 to Grafana 10.0.10
- All versions older than Grafana 9.5.16
Solutions and mitigations
If your instance is vulnerable, we strongly recommend upgrading to one of the patched versions as soon as possible.
Alternatively, you can disable Grafana basic authentication if your instance has other authentication mechanisms enabled.
Timeline and post-incident review
Here is a detailed timeline starting from when we originally introduced the issue.
- 2015-08-31 09:35 UTC - Email verification logic is introduced in Grafana.
- 2023-11-10 14:01 UTC - We received a bug bounty report stating that email verification logic can be bypassed.
- 2023-11-15 13:55 UTC - CVE is requested and GitHub Advisory is created.
- 2023-11-21 11:25 UTC- We verified that the vulnerability is present.
- 2023-01-12 11:34 UTC- We implemented a fix.
- 2023-01-18 16:21 UTC - The fix has been tested and verified.
- 2024-01-24 13:12 UTC - Backports for the fix created.
- 2024-01-26 9:43 UTC - Backports for the fix verified.
- 2024-01-30 13:43 UTC - Private release.
- 2024-02-14 10:48 UTC - Public release.
Reporting security issues
If you think you have found a security vulnerability, please go to our Report a security issue page to learn how to send a security report.
Grafana Labs will send you a response indicating the next steps in handling your report. After the initial reply to your report, the security team will keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance.
Important: We ask you to not disclose the vulnerability before it has been fixed and announced, unless you received a response from the Grafana Labs security team that you can do so.
Security announcements
We maintain a security category on our blog, where we will always post a summary, remediation, and mitigation details for any patch containing security fixes. You can also subscribe to our RSS feed.
