Attachment #248633 for bug #277184

View | Details | Raw Unified | Return to bug 277184 | Differences between
Collapse All | Expand All




  <vuln vid="6a851dc0-cfd2-11ee-ac09-6c3be5272acd">
    <topic>Grafana -- Email verification is not required after email change</topic>
    <affects>
      <package>
	<name>grafana</name>
	<range><lt>9.5.16</lt></range>
	<range><ge>10.0.0</ge><lt>10.0.11</lt></range>
	<range><ge>10.1.0</ge><lt>10.1.7</lt></range>
	<range><ge>10.2.0</ge><lt>10.2.4</lt></range>
	<range><ge>10.3.0</ge><lt>10.3.3</lt></range>
      </package>
      <package>
	<name>grafana9</name>
	<range><lt>9.5.16</lt></range>
      </package>
      <package>
	<name>grafana10</name>
	<range><lt>10.0.11</lt></range>
	<range><ge>10.1.0</ge><lt>10.1.7</lt></range>
	<range><ge>10.2.0</ge><lt>10.2.4</lt></range>
	<range><ge>10.3.0</ge><lt>10.3.3</lt></range>
      </package>
    </affects>
    <description>
	<body xmlns="http://www.w3.org/1999/xhtml">
	<p>Grafana Labs reports:</p>
	<blockquote cite="https://grafana.com/blog/2024/02/14/grafana-security-release-medium-severity-security-fix-for-cve-2023-6152/">
	  <p>The vulnerability impacts instances where
	  <a href="https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/grafana/">
	  Grafana basic authentication</a> is enabled.</p>
	  <p>Grafana has a
	  <a href="https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#verify_email_enabled">
	  verify_email_enabled</a> configuration option. When this option is enabled,
	  users are required to confirm their email addresses before the sign-up process
	  is complete. However, the email is only checked at the time of the sign-up.
	  No further verification is carried out if a user’s email address is updated
	  after the initial sign-up. Moreover, Grafana allows using an email address
	  as the user’s login name, and no verification is ever carried out for this email
	  address.</p>
	  <p>This means that even if the
	  <a href="https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#verify_email_enabled">
	  verify_email_enabled</a> configuration option is enabled, users can use
	  unverified email addresses to log into Grafana if the email address
	  has been changed after the sign up, or if an email address is set as the login
	  name.</p>
	  <p>The CVSS score for this vulnerability is [5.4 Medium] (CVSS).</p>
	</blockquote>
	</body>
    </description>
    <references>
      <cvename>CVE-2023-6152</cvename>
      <url>https://grafana.com/security/security-advisories/cve-2023-6152/</url>
    </references>
    <dates>
      <discovery>2023-11-10</discovery>
      <entry>2024-02-20</entry>
    </dates>
  </vuln>

  <vuln vid="e15ba624-cca8-11ee-84ca-b42e991fc52e">
    <topic>powerdns-recursor -- Multiple Vulnerabilities</topic>
    <affects>

Return to bug 277184

Lines 1-3 Link Here

(-)b/security/vuxml/vuln/2024.xml (+59 lines)
		1	<vuln vid="6a851dc0-cfd2-11ee-ac09-6c3be5272acd">
		2	<topic>Grafana -- Email verification is not required after email change</topic>
		3	<affects>
		4	<package>
		5	<name>grafana</name>
		6	<range><lt>9.5.16</lt></range>
		7	<range><ge>10.0.0</ge><lt>10.0.11</lt></range>
		8	<range><ge>10.1.0</ge><lt>10.1.7</lt></range>
		9	<range><ge>10.2.0</ge><lt>10.2.4</lt></range>
		10	<range><ge>10.3.0</ge><lt>10.3.3</lt></range>
		11	</package>
		12	<package>
		13	<name>grafana9</name>
		14	<range><lt>9.5.16</lt></range>
		15	</package>
		16	<package>
		17	<name>grafana10</name>
		18	<range><lt>10.0.11</lt></range>
		19	<range><ge>10.1.0</ge><lt>10.1.7</lt></range>
		20	<range><ge>10.2.0</ge><lt>10.2.4</lt></range>
		21	<range><ge>10.3.0</ge><lt>10.3.3</lt></range>
		22	</package>
		23	</affects>
		24	<description>
		25	<body xmlns="http://www.w3.org/1999/xhtml">
		26	<p>Grafana Labs reports:</p>
		27	<blockquote cite="https://grafana.com/blog/2024/02/14/grafana-security-release-medium-severity-security-fix-for-cve-2023-6152/">
		28	<p>The vulnerability impacts instances where
		29	<a href="https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/grafana/">
		30	Grafana basic authentication</a> is enabled.</p>
		31	<p>Grafana has a
		32	<a href="https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#verify_email_enabled">
		33	verify_email_enabled</a> configuration option. When this option is enabled,
		34	users are required to confirm their email addresses before the sign-up process
		35	is complete. However, the email is only checked at the time of the sign-up.
		36	No further verification is carried out if a user’s email address is updated
		37	after the initial sign-up. Moreover, Grafana allows using an email address
		38	as the user’s login name, and no verification is ever carried out for this email
		39	address.</p>
		40	<p>This means that even if the
		41	<a href="https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#verify_email_enabled">
		42	verify_email_enabled</a> configuration option is enabled, users can use
		43	unverified email addresses to log into Grafana if the email address
		44	has been changed after the sign up, or if an email address is set as the login
		45	name.</p>
		46	<p>The CVSS score for this vulnerability is [5.4 Medium] (CVSS).</p>
		47	</blockquote>
		48	</body>
		49	</description>
		50	<references>
		51	<cvename>CVE-2023-6152</cvename>
		52	<url>https://grafana.com/security/security-advisories/cve-2023-6152/</url>
		53	</references>
		54	<dates>
		55	<discovery>2023-11-10</discovery>
		56	<entry>2024-02-20</entry>
		57	</dates>
		58	</vuln>
		59
1	<vuln vid="e15ba624-cca8-11ee-84ca-b42e991fc52e">	60	<vuln vid="e15ba624-cca8-11ee-84ca-b42e991fc52e">
2	<topic>powerdns-recursor -- Multiple Vulnerabilities</topic>	61	<topic>powerdns-recursor -- Multiple Vulnerabilities</topic>
3	<affects>	62	<affects>