N/A

Grafana is an open-source platform for monitoring and observability. The option to send a test alert is not available from the user panel UI for users having the Viewer role. It is still possible for a user with the Viewer role to send a test alert using the API as the API does not check access to this function. This might enable malicious users to abuse the functionality by sending multiple alert messages to e-mail and Slack, spamming users, prepare Phishing attack or block SMTP server. Users may upgrade to version 9.5.3, 9.4.12, 9.3.15, 9.2.19 and 8.5.26 to receive a fix.

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N

访问控制不恰当

Grafana 安全漏洞

Grafana是Grafana开源的一套提供可视化监控界面的开源监控工具。该工具主要用于监控和分析Graphite、InfluxDB和Prometheus等。 Grafana 9.4.12之前版本、 9.5.3之前版本存在安全漏洞，该漏洞源于具有查看者角色的用户仍然可以使用 API 发送测试警报，因为 API不检查对此功能的访问，攻击者利用该漏洞可以通过向电子邮件和 Slack 发送多条警报消息、向用户发送垃圾邮件、准备网络钓鱼攻击。

N/A

N/A