CVE-2023-4399

Published: Oct 17, 2023Modified: Feb 13, 2025

7.2

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.2 / Impact: 5.9

Source: NVD

Description

Grafana is an open-source platform for monitoring and observability. In Grafana Enterprise, Request security is a deny list that allows admins to configure Grafana in a way so that the instance doesn’t call specific hosts. However, the restriction can be bypassed used punycode encoding of the characters in the request address.

Affected (4)

Products: Grafana: Grafana

1 product

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Grafana Grafana	From 10.0.0 to 10.0.9
Grafana Grafana	From 10.1.0 to 10.1.5
Grafana Grafana	From 9.4.0 to 9.4.17
Grafana Grafana	From 9.5.0 to 9.5.13

Related CWEs

Permissive List of Allowed Inputs

The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are assumed to be safe, but the list is too permissive - that is, it allows an input that is unsafe, leading to resultant weaknesses.

References (4)

https://grafana.com/security/security-advisories/cve-2023-4399/

Source: security@grafana.com

Vendor Advisory

https://security.netapp.com/advisory/ntap-20231208-0003/

Source: security@grafana.com

https://grafana.com/security/security-advisories/cve-2023-4399/

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://security.netapp.com/advisory/ntap-20231208-0003/

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.