Grafana security release: New versions of Grafana with a medium severity security fix for CVE-2023-4822

Grafana Security Advisory

We are releasing Grafana 10.1.5, 10.0.9, 9.5.13, and 9.4.17. These patch releases contain a fix for CVE-2023-4822, a medium severity security vulnerability in the role-based access control (RBAC) system in Grafana Enterprise.

Release 10.1.5, latest release with security patch:

Release 10.0.9 with the security patch:

Release 9.5.13 with the security patch:

Release 9.4.17 with the security patch:

Cross-organization permission escalation by an organization administrator (CVE-2023-4822)

Summary

Vulnerable versions of Grafana are incorrectly assessing permissions to update cross-organization roles and role assignments. Therefore users with administrator permissions in one organization can change cross-organization role permissions and cross-organization role assignments.

This vulnerability impacts instances with more than one organization running Grafana Enterprise versions.

No Grafana Cloud instances are impacted because the platform is limited to a single organization.

The CVSS score for this vulnerability is 6.7 Medium.

Impact

If exploited, an attacker who has the Organization Admin role in any organization can elevate their permissions across all organizations, elevate other users’ permissions in all organizations, or limit other users’ permissions in all organizations.

The vulnerability, however, does not allow the attacker to become a member of an organization that they are not already a member of, nor can they add any other user to an organization that the attacker is not a member of already.

Impacted versions

The vulnerability impacts instances with more than one organization running Grafana Enterprise versions:

  • 8.0.0 to 10.0.0 with RBAC enabled
  • 10.0.0 to 10.1.2
  • 10.1.4

You can check if role-based access control (RBAC) is enabled by calling GET /api/access-control/status. If the endpoint is found and returns "enabled": true, role-based access control is enabled on your instance.

Solutions and mitigations

If your instance is vulnerable, we strongly recommend upgrading to one of the patched versions as soon as possible.

If you cannot upgrade now, you should limit the Organization Administrator privileges only to trusted users who will not abuse this vulnerability.

Timeline and post-incident review

Here is a detailed timeline starting from when we originally introduced the issue. All times in UTC.

  • 2021-01-06 08:45 UTC – The faulty permission evaluation logic is introduced in Grafana.
  • 2023-08-18 10:42 UTC – A bug that prevents editing basic role assignments is introduced.
  • 2023-09-06 17:53 UTC – It is brought to our attention that users are not able to edit the basic roles.
  • 2023-09-07 10:15 UTC – We investigate the issue with updating basic roles and discover the security vulnerability in the related code.
  • 2023-09-07 10:33 UTC – An incident is opened and announced.
  • 2023-09-07 15:53 UTC – CVE is requested / GitHub advisory is created.
  • 2023-09-08 11:47 UTC – We explore the attack surface and make sure there are no related exploitable vulnerabilities.
  • 2023-09-12 14:45 UTC – Fix for the vulnerability is merged.
  • 2023-09-13 06:52 UTC – Backports for the supported versions are created and merged.
  • 2023-09-19 20:22 UTC – Private release.
  • 2023-10-12 11:27 UTC – Public release.
  • 2023-10-13 14:00 UTC – Blog published.

Reporting security issues

If you think you have found a security vulnerability, please go to our Report a security issue page to learn how to send a security report.

Grafana Labs will send you a response indicating the next steps in handling your report. After the initial reply to your report, the security team will keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance.

Important: We ask you to not disclose the vulnerability before it has been fixed and announced, unless you received a response from the Grafana Labs security team that you can do so.

Security announcements

We maintain a security category on our blog, where we will always post a summary, remediation, and mitigation details for any patch containing security fixes. You can also subscribe to our RSS feed.

READ MORE