Bug 1216315 (CVE-2023-4822)

Summary: VUL-0: CVE-2023-4822: grafana: Org admins can modify permissions across all orgs
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED UPSTREAM QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: gabriele.sonnu, witold.bedyk
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/381960/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-4822:6.7:(AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2023-10-17 08:30:49 UTC 
The vulnerability impacts instances with several organizations, and allows a user with Organization Admin permissions in one organization to change the permissions associated with Organization Viewer, Organization Editor and Organization Admin roles in all organizations. It also allows an Organization Admin to assign or revoke any permissions that they have to any user globally. This means that any Organization Admin can elevate their own permissions in any organization that they are already a member of, or elevate or restrict the permissions of any other user. The vulnerability does not allow a user to become a member of an organization that they are not already a member of, or to add any other users to an organization that the current user is not a member of.

References:
https://grafana.com/security/security-advisories/cve-2023-4822/
Comment 1 Gabriele Sonnu 2023-10-17 08:44:01 UTC 
According to [0], this impact the following Grafana versions:

- 8.0.0 to 10.0.0 with RBAC enabled
- 10.0.0 to 10.1.2
- 10.1.4

So, tracking as affected:

- SUSE:SLE-12:Update              v9.5.5
- SUSE:SLE-15-SP2:Update/grafana  v9.5.5
- SUSE:SLE-15:Update/grafana      v9.5.5

- SUSE:SLE-15:Update:Products:ManagerToolsBeta:Update/grafana  v8.3.5



[0] https://grafana.com/blog/2023/10/13/grafana-security-release-new-versions-of-grafana-with-a-medium-severity-security-fix-for-cve-2023-4822/
Comment 2 Witek Bedyk 2023-10-23 10:55:57 UTC 
The vulnerability affects Grafana Enterprise only. Our products are not affected.
Comment 3 Gabriele Sonnu 2023-10-23 12:00:28 UTC 
Thanks Witek. Closing.