CVE-2023-6152

Incorrect Authorization in go/github.com/grafana/grafana

Identifiers

GHSA-3hv4-r2fm-h27f, CVE-2023-6152

Package Slug

go/github.com/grafana/grafana

Vulnerability

Incorrect Authorization

Description

A user changing their email after signing up and verifying it can change it without verification in profile settings.

The configuration option "verifyemailenabled" will only validate email only on sign up.

Affected Versions

All versions starting from 2.5.0 before 9.5.16, all versions starting from 10.0.0 before 10.0.11, all versions starting from 10.1.0 before 10.1.7, all versions starting from 10.2.0 before 10.2.4, all versions starting from 10.3.0 before 10.3.3

Solution

Upgrade to versions 9.5.16, 10.0.11, 10.1.7, 10.2.4, 10.3.3 or above.

Last Modified

2024-02-14

source