Lines 1-3
Link Here
|
|
|
1 |
<vuln vid="6a851dc0-cfd2-11ee-ac09-6c3be5272acd"> |
2 |
<topic>Grafana -- Email verification is not required after email change</topic> |
3 |
<affects> |
4 |
<package> |
5 |
<name>grafana</name> |
6 |
<range><lt>9.5.16</lt></range> |
7 |
<range><ge>10.0.0</ge><lt>10.0.11</lt></range> |
8 |
<range><ge>10.1.0</ge><lt>10.1.7</lt></range> |
9 |
<range><ge>10.2.0</ge><lt>10.2.4</lt></range> |
10 |
<range><ge>10.3.0</ge><lt>10.3.3</lt></range> |
11 |
</package> |
12 |
<package> |
13 |
<name>grafana9</name> |
14 |
<range><lt>9.5.16</lt></range> |
15 |
</package> |
16 |
<package> |
17 |
<name>grafana10</name> |
18 |
<range><lt>10.0.11</lt></range> |
19 |
<range><ge>10.1.0</ge><lt>10.1.7</lt></range> |
20 |
<range><ge>10.2.0</ge><lt>10.2.4</lt></range> |
21 |
<range><ge>10.3.0</ge><lt>10.3.3</lt></range> |
22 |
</package> |
23 |
</affects> |
24 |
<description> |
25 |
<body xmlns="http://www.w3.org/1999/xhtml"> |
26 |
<p>Grafana Labs reports:</p> |
27 |
<blockquote cite="https://grafana.com/blog/2024/02/14/grafana-security-release-medium-severity-security-fix-for-cve-2023-6152/"> |
28 |
<p>The vulnerability impacts instances where |
29 |
<a href="https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/grafana/"> |
30 |
Grafana basic authentication</a> is enabled.</p> |
31 |
<p>Grafana has a |
32 |
<a href="https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#verify_email_enabled"> |
33 |
verify_email_enabled</a> configuration option. When this option is enabled, |
34 |
users are required to confirm their email addresses before the sign-up process |
35 |
is complete. However, the email is only checked at the time of the sign-up. |
36 |
No further verification is carried out if a user’s email address is updated |
37 |
after the initial sign-up. Moreover, Grafana allows using an email address |
38 |
as the user’s login name, and no verification is ever carried out for this email |
39 |
address.</p> |
40 |
<p>This means that even if the |
41 |
<a href="https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#verify_email_enabled"> |
42 |
verify_email_enabled</a> configuration option is enabled, users can use |
43 |
unverified email addresses to log into Grafana if the email address |
44 |
has been changed after the sign up, or if an email address is set as the login |
45 |
name.</p> |
46 |
<p>The CVSS score for this vulnerability is [5.4 Medium] (CVSS).</p> |
47 |
</blockquote> |
48 |
</body> |
49 |
</description> |
50 |
<references> |
51 |
<cvename>CVE-2023-6152</cvename> |
52 |
<url>https://grafana.com/security/security-advisories/cve-2023-6152/</url> |
53 |
</references> |
54 |
<dates> |
55 |
<discovery>2023-11-10</discovery> |
56 |
<entry>2024-02-20</entry> |
57 |
</dates> |
58 |
</vuln> |
59 |
|
1 |
<vuln vid="e15ba624-cca8-11ee-84ca-b42e991fc52e"> |
60 |
<vuln vid="e15ba624-cca8-11ee-84ca-b42e991fc52e"> |
2 |
<topic>powerdns-recursor -- Multiple Vulnerabilities</topic> |
61 |
<topic>powerdns-recursor -- Multiple Vulnerabilities</topic> |
3 |
<affects> |
62 |
<affects> |