Bug 1219912 (CVE-2023-6152)

Summary: VUL-0: CVE-2023-6152: grafana: lack of validation on email update on configuration option "verify_email_enabled"
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: monitoring-devel <monitoring-devel>
Status: IN_PROGRESS --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: andrea.mattiazzo, monitoring-devel, stoyan.manolov, witold.bedyk
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/394001/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-6152:5.4:(AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-02-14 10:54:32 UTC 
A user changing their email after signing up and verifying it can change it without verification in profile settings.

The configuration option "verify_email_enabled" will only validate email only on sign up.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6152
https://www.cve.org/CVERecord?id=CVE-2023-6152
https://github.com/grafana/bugbounty/security/advisories/GHSA-3hv4-r2fm-h27f
https://grafana.com/security/security-advisories/cve-2023-6152/

Patch:
https://github.com/grafana/grafana/commit/37ba9d7db1359c6dc3b6498c0c345d1a9eb3f6b7
Comment 1 Andrea Mattiazzo 2024-02-14 10:55:58 UTC 
Tracking as affected:
- SUSE:SLE-12:Update/grafana                                   9.5.8 
- SUSE:SLE-12:Update:Products:ManagerToolsBeta:Update/grafana  9.5.8 
- SUSE:SLE-15-SP2:Update/grafana                               9.5.8 
- SUSE:SLE-15:Update/grafana                                   9.5.8 
- SUSE:SLE-15:Update:Products:ManagerToolsBeta:Update/grafana  9.5.8 
- openSUSE:Factory/grafana                                     10.1.5

CVSS 7 so won't fix for:
- SUSE:SLE-12-SP3:Update:Products:Cloud8:Update/grafana        6.7.4 
- SUSE:SLE-12-SP4:Update:Products:Cloud9:Update/grafana        6.7.4
Comment 3 Witek Bedyk 2024-03-11 12:20:42 UTC 
Grafana in openSUSE:Factory had been meanwhile upgraded to the patched version 10.3.3.

Submission adding CVE and Bugzilla reference has been requested:

https://build.opensuse.org/request/show/1156920
Comment 4 Witek Bedyk 2024-03-11 12:28:04 UTC 
SUMA development IBS projects have been updated to the patched version 9.5.16.

Submissions to the SLE15 and SLE12 codestreams are planned together with the next SUMA maintenance update on April 18.
Comment 9 Maintenance Automation 2024-04-24 12:30:07 UTC 
SUSE-SU-2024:1427-1: An update that solves eight vulnerabilities, contains one feature and has 11 security fixes can now be installed.

Category: security (moderate)
Bug References: 1008037, 1008038, 1010940, 1019021, 1038785, 1059235, 1099805, 1166389, 1171823, 1174145, 1174302, 1175993, 1177948, 1216854, 1219002, 1219887, 1219912, 1220371, 1221092
CVE References: CVE-2016-8647, CVE-2016-9587, CVE-2017-7550, CVE-2018-10874, CVE-2020-14365, CVE-2023-5764, CVE-2023-6152, CVE-2024-0690
Jira References: MSQA-759
Maintenance Incident: [SUSE:Maintenance:33400](https://smelt.suse.de/incident/33400/)
Sources used:
SUSE Manager Client Tools Beta for SLE 15 (src):
 ansible-2.9.27-159000.3.12.2, spacecmd-5.0.5-159000.6.48.2, grafana-9.5.16-159000.4.30.2, supportutils-plugin-susemanager-client-5.0.3-159000.6.21.2, uyuni-tools-0.1.7-159000.3.8.1, POS_Image-Graphical7-0.1.1710765237.46af599-159000.3.24.2, dracut-saltboot-0.1.1710765237.46af599-159000.3.33.2, spacewalk-client-tools-5.0.4-159000.6.54.2, POS_Image-JeOS7-0.1.1710765237.46af599-159000.3.24.2
SUSE Manager Client Tools Beta for SLE Micro 5 (src):
 golang-github-prometheus-node_exporter-1.5.0-159000.6.2.1, uyuni-tools-0.1.7-159000.3.8.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Maintenance Automation 2024-04-24 12:30:20 UTC 
SUSE-SU-2024:1419-1: An update that solves one vulnerability, contains three features and has two security fixes can now be installed.

Category: security (moderate)
Bug References: 1219887, 1219912, 1220371
CVE References: CVE-2023-6152
Jira References: MSQA-759, PED-7893, PED-7928
Maintenance Incident: [SUSE:Maintenance:33381](https://smelt.suse.de/incident/33381/)
Sources used:
SUSE Manager Client Tools Beta for SLE 12 (src):
 spacecmd-5.0.5-41.48.1, golang-github-prometheus-alertmanager-0.26.0-4.18.2, golang-github-prometheus-node_exporter-1.7.0-4.18.2, grafana-9.5.16-4.27.1, spacewalk-client-tools-5.0.4-55.51.1, supportutils-plugin-susemanager-client-5.0.3-9.21.1, golang-github-prometheus-promu-0.14.0-4.15.1, uyuni-tools-0.1.7-3.8.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Maintenance Automation 2024-05-06 12:30:25 UTC 
SUSE-SU-2024:1530-1: An update that solves two vulnerabilities and contains one feature can now be installed.

Category: security (moderate)
Bug References: 1219912, 1222155
CVE References: CVE-2023-6152, CVE-2024-1313
Jira References: MSQA-760
Maintenance Incident: [SUSE:Maintenance:33419](https://smelt.suse.de/incident/33419/)
Sources used:
SUSE Package Hub 15 15-SP5 (src):
 grafana-9.5.18-150200.3.56.1
openSUSE Leap 15.5 (src):
 mybatis-3.5.6-150200.5.6.1, grafana-9.5.18-150200.3.56.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Maintenance Automation 2024-05-06 12:31:08 UTC 
SUSE-SU-2024:1509-1: An update that solves 15 vulnerabilities, contains one feature and has four security fixes can now be installed.

Category: security (important)
Bug References: 1008037, 1008038, 1010940, 1019021, 1038785, 1059235, 1099805, 1166389, 1171823, 1174145, 1174302, 1175993, 1177948, 1216854, 1219002, 1219912, 1221092, 1221465, 1222155
CVE References: CVE-2016-8614, CVE-2016-8628, CVE-2016-8647, CVE-2016-9587, CVE-2017-7550, CVE-2018-10874, CVE-2020-10744, CVE-2020-14330, CVE-2020-14332, CVE-2020-14365, CVE-2020-1753, CVE-2023-5764, CVE-2023-6152, CVE-2024-0690, CVE-2024-1313
Jira References: MSQA-760
Maintenance Incident: [SUSE:Maintenance:33434](https://smelt.suse.de/incident/33434/)
Sources used:
openSUSE Leap 15.5 (src):
 spacecmd-4.3.27-150000.3.116.2, POS_Image-JeOS7-0.1.1710765237.46af599-150000.1.21.2, ansible-2.9.27-150000.1.17.2, POS_Image-Graphical7-0.1.1710765237.46af599-150000.1.21.2, dracut-saltboot-0.1.1710765237.46af599-150000.1.53.2, golang-github-prometheus-promu-0.14.0-150000.3.18.2
SUSE Manager Client Tools for SLE 15 (src):
 POS_Image-JeOS7-0.1.1710765237.46af599-150000.1.21.2, ansible-2.9.27-150000.1.17.2, spacewalk-client-tools-4.3.19-150000.3.89.2, uyuni-common-libs-4.3.10-150000.1.39.2, uyuni-proxy-systemd-services-4.3.12-150000.1.21.2, mgr-daemon-4.3.9-150000.1.47.2, spacewalk-koan-4.3.6-150000.3.33.2, spacecmd-4.3.27-150000.3.116.2, POS_Image-Graphical7-0.1.1710765237.46af599-150000.1.21.2, dracut-saltboot-0.1.1710765237.46af599-150000.1.53.2, grafana-9.5.18-150000.1.63.2
SUSE Manager Client Tools for SLE Micro 5 (src):
 uyuni-proxy-systemd-services-4.3.12-150000.1.21.2, dracut-saltboot-0.1.1710765237.46af599-150000.1.53.2
SUSE Package Hub 15 15-SP5 (src):
 golang-github-prometheus-promu-0.14.0-150000.3.18.2
SUSE Manager Proxy 4.3 Module 4.3 (src):
 ansible-2.9.27-150000.1.17.2, uyuni-proxy-systemd-services-4.3.12-150000.1.21.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Maintenance Automation 2024-05-06 12:31:14 UTC 
SUSE-SU-2024:1508-1: An update that solves two vulnerabilities, contains three features and has one security fix can now be installed.

Category: security (moderate)
Bug References: 1219912, 1221465, 1222155
CVE References: CVE-2023-6152, CVE-2024-1313
Jira References: MSQA-760, PED-7893, PED-7928
Maintenance Incident: [SUSE:Maintenance:33420](https://smelt.suse.de/incident/33420/)
Sources used:
SUSE Manager Client Tools for SLE 12 (src):
 golang-github-prometheus-promu-0.14.0-1.18.1, spacecmd-4.3.27-38.139.1, spacewalk-client-tools-4.3.19-52.98.1, uyuni-common-libs-4.3.10-1.39.1, golang-github-prometheus-node_exporter-1.7.0-1.30.2, spacewalk-koan-4.3.6-24.36.1, golang-github-prometheus-alertmanager-0.26.0-1.27.2, mgr-daemon-4.3.9-1.47.1, grafana-9.5.18-1.63.1
SUSE Linux Enterprise High Performance Computing 12 SP5 (src):
 golang-github-prometheus-node_exporter-1.7.0-1.30.2
SUSE Linux Enterprise Server 12 SP5 (src):
 golang-github-prometheus-node_exporter-1.7.0-1.30.2
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src):
 golang-github-prometheus-node_exporter-1.7.0-1.30.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Maintenance Automation 2024-06-24 20:32:35 UTC 
SUSE-SU-2024:1530-2: An update that solves two vulnerabilities and contains one feature can now be installed.

Category: security (moderate)
Bug References: 1219912, 1222155
CVE References: CVE-2023-6152, CVE-2024-1313
Jira References: MSQA-760
Maintenance Incident: [SUSE:Maintenance:33419](https://smelt.suse.de/incident/33419/)
Sources used:
openSUSE Leap 15.6 (src):
 grafana-9.5.18-150200.3.56.1, mybatis-3.5.6-150200.5.6.1
SUSE Package Hub 15 15-SP6 (src):
 grafana-9.5.18-150200.3.56.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.