CVE-2023-4822
Severity CVSS v4.0:
Pending analysis
Type:
CWE-269
Improper Privilege Management
Publication date:
16/10/2023
Last modified:
13/02/2025
Description
Grafana is an open-source platform for monitoring and observability. The vulnerability impacts Grafana instances with several organizations, and allows a user with Organization Admin permissions in one organization to change the permissions associated with Organization Viewer, Organization Editor and Organization Admin roles in all organizations.<br />
<br />
It also allows an Organization Admin to assign or revoke any permissions that they have to any user globally.<br />
<br />
This means that any Organization Admin can elevate their own permissions in any organization that they are already a member of, or elevate or restrict the permissions of any other user.<br />
<br />
The vulnerability does not allow a user to become a member of an organization that they are not already a member of, or to add any other users to an organization that the current user is not a member of.
Impact
Base Score 3.x
6.70
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:grafana:grafana:*:*:*:*:enterprise:*:*:* | 8.0.0 (including) | 9.4.16 (excluding) |
| cpe:2.3:a:grafana:grafana:*:*:*:*:enterprise:*:*:* | 9.5.0 (including) | 9.5.11 (excluding) |
| cpe:2.3:a:grafana:grafana:*:*:*:*:enterprise:*:*:* | 10.0.0 (including) | 10.0.7 (excluding) |
| cpe:2.3:a:grafana:grafana:*:*:*:*:enterprise:*:*:* | 10.1.0 (including) | 10.1.3 (excluding) |
| cpe:2.3:a:grafana:grafana:10.1.4:*:*:*:enterprise:*:*:* |
To consult the complete list of CPE names with products and versions, see this page