CVE-2023-6152

Aliases:GHSA-3hv4-r2fm-h27fBIT-grafana-2023-6152

Advisory lineage Upstream: 0 Downstream: 11

Downstream

OPENSUSE-SU-2024:13713-1 SUSE-SU-2024:1419-1 SUSE-SU-2024:1427-1 SUSE-SU-2024:1508-1 SUSE-SU-2024:1509-1 SUSE-SU-2024:1530-1

Modified

Published: 13 Feb 2024, 21:38

Last modified:15 Feb 2025, 00:10

Vulnerability Summary

Overall Risk (default)

medium

32/100

CVSS Score

5.4 MEDIUM

v3.1 (cve.org)

EPSS Score

0.22% LOW

0% probability 0.00%

KEV

Not listed

Ransomware

No reports

Public exploits

1 found

Dark Web

Not detected

Timeline

13 Feb 2024, 21:38

Published

Vulnerability first disclosed

15 Feb 2025, 00:10

Last Modified

Vulnerability information updated

Description

A user changing their email after signing up and verifying it can change it without verification in profile settings. The configuration option "verify_email_enabled" will only validate email only on sign up.

CVSS Metrics

v3.1•MEDIUM•Score: 5.4CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

EPSS Trends

Current EPSS score: 0.22%• Percentile: 45%

Techniques & Countermeasures

CWE-863•Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Affected Systems

github.com/grafana•grafana
≥ 2.5.0, < 9.5.16 | ≥ 10.0.0, < 10.0.11 | ≥ 10.1.0, < 10.1.7 | ≥ 10.2.0, < 10.2.4 | ≥ 10.3.0, < 10.3.3
grafana•grafana
≥ 2.5.0, < 9.5.16 | ≥ 10.0.0, < 10.0.11 | ≥ 10.1.0, < 10.1.7 | ≥ 10.2.0, < 10.2.4 | ≥ 10.3.0, < 10.3.3 | ≤ 2.5.0 | 10.0.0 | 10.1.0 | 10.2.0 | 10.3.0
grafana•grafana enterprise
≥ 2.5.0, < 9.5.16 | ≥ 10.0.0, < 10.0.11 | ≥ 10.1.0, < 10.1.7 | ≥ 10.2.0, < 10.2.4 | ≥ 10.3.0, < 10.3.3