CVE-2023-2183

Name of the Vulnerable Software and Affected Versions Grafana versions prior to 9.5.3 Grafana versions prior to 9.4.12 Grafana versions prior to 9.3.15 Grafana versions prior to 9.2.19 Grafana versions prior to 8.5.26

Description Grafana is an open-source platform for monitoring and observability. The option to send a test alert is not available from the user panel UI for users having the Viewer role. However, it is still possible for a user with the Viewer role to send a test alert using the API as the API does not check access to this function. This might enable malicious users to abuse the functionality by sending multiple alert messages to e-mail and Slack, spamming users, preparing Phishing attacks, or blocking SMTP servers.

The API endpoint /api/alertmanager/grafana/config/api/v1/receivers/test can be exploited by users with the Viewer role, allowing them to send test alerts. The receivers and alert variables are used in this process. Malicious users can send specially crafted alert messages, potentially leading to phishing attacks or SMTP server blockage.

Recommendations For versions prior to 9.5.3, upgrade to version 9.5.3 to receive a fix. For versions prior to 9.4.12, upgrade to version 9.4.12 to receive a fix. For versions prior to 9.3.15, upgrade to version 9.3.15 to receive a fix. For versions prior to 9.2.19, upgrade to version 9.2.19 to receive a fix. For versions prior to 8.5.26, upgrade to version 8.5.26 to receive a fix. As a temporary workaround, consider restricting access to the /api/alertmanager/grafana/config/api/v1/receivers/test API endpoint for users with the Viewer role. Additionally, limit the ability to send multiple e-mails to the same e-mail address per unit of time in the SMTP server configuration settings.