CVE-2023-6152

Description

A user changing their email after signing up and verifying it can change it without verification in profile settings. The configuration option "verify_email_enabled" will only validate email only on sign up.

CVSS breakdown

CVSS 3.1

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

Low

Affected products

Grafana / Grafana2.5.0 – 9.5.16
Grafana / Grafana10.0.0 – 10.0.11
Grafana / Grafana10.1.0 – 10.1.7
Grafana / Grafana10.2.0 – 10.2.4
Grafana / Grafana10.3.0 – 10.3.3
Grafana / Grafana Enterprise2.5.0 – 9.5.16
Grafana / Grafana Enterprise10.0.0 – 10.0.11
Grafana / Grafana Enterprise10.1.0 – 10.1.7
Grafana / Grafana Enterprise10.2.0 – 10.2.4
Grafana / Grafana Enterprise10.3.0 – 10.3.3

References

VENDOR_ADVISORYhttps://grafana.com/security/security-advisories/cve-2023-6152/
VENDOR_ADVISORYhttps://github.com/grafana/bugbounty/security/advisories/GHSA-3hv4-r2fm-h27f