CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
25.6%
According to its self-reported version number, the version of Grafana Enterprise running on the remote host is a version 9.4.x prior to 9.4.17, 9.5.x prior to 9.5.13, 10.0.x prior to 10.0.9 or 10.1.x prior to 10.1.5. It is, therefore, affected by a restriction bypass vulnerability. In Grafana Enterprise, Request security is a deny list that allows admins to configure Grafana in a way so that the instance does not call specific hosts. However, the restriction can be bypassed used punycode encoding of the characters in the request address.
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(186028);
script_version("1.3");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/02/16");
script_cve_id("CVE-2023-4399");
script_xref(name:"IAVB", value:"2023-B-0087-S");
script_name(english:"Grafana Enterprise Datasource Network Restrictions Bypass (CVE-2023-4399)");
script_set_attribute(attribute:"synopsis", value:
"The web application running on the remote web server is affected by a restriction bypass vulnerability.");
script_set_attribute(attribute:"description", value:
"According to its self-reported version number, the version of Grafana Enterprise running on the remote
host is a version 9.4.x prior to 9.4.17, 9.5.x prior to 9.5.13, 10.0.x prior to 10.0.9 or 10.1.x prior to
10.1.5. It is, therefore, affected by a restriction bypass vulnerability. In Grafana Enterprise,
Request security is a deny list that allows admins to configure Grafana in a way so that the instance
does not call specific hosts. However, the restriction can be bypassed used punycode encoding of the
characters in the request address.
Note that Nessus has not tested for these issues but has instead relied only on the application's
self-reported version number.");
# https://grafana.com/security/security-advisories/cve-2023-4399
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?6d6b9724");
script_set_attribute(attribute:"solution", value:
"Upgrade to Grafana 9.4.17, 9.5.13, 10.0.9, 10.1.5 or later");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:M/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-4399");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2023/10/12");
script_set_attribute(attribute:"patch_publication_date", value:"2023/10/12");
script_set_attribute(attribute:"plugin_publication_date", value:"2023/11/21");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:grafana:grafana");
script_set_attribute(attribute:"stig_severity", value:"I");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Web Servers");
script_copyright(english:"This script is Copyright (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("grafana_labs_detect.nbin");
script_require_keys("installed_sw/Grafana Labs");
script_require_ports("Services/www", 3000);
exit(0);
}
include('vcf.inc');
include("http.inc");
var port = get_http_port(default:3000);
var app_info = vcf::get_app_info(app:'Grafana Labs', port:port, webapp:TRUE);
# If there's no edition information only flag if paranoid
if ((empty_or_null(app_info.Edition) && report_paranoia < 2) || app_info.Edition != 'Enterprise')
vcf::audit(app_info);
var constraints = [
{ 'min_version' : '9.4.0', 'fixed_version' : '9.4.17' },
{ 'min_version' : '9.5.0', 'fixed_version' : '9.5.13' },
{ 'min_version' : '10.0.0', 'fixed_version' : '10.0.9' },
{ 'min_version' : '10.1.0', 'fixed_version' : '10.1.5' }
];
vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
25.6%