CVE-2023-4399

Summary

Grafana is an open-source platform for monitoring and observability.

In Grafana Enterprise, Request security is a deny list that allows admins to configure Grafana in a way so that the instance doesn’t call specific hosts.

However, the restriction can be bypassed used punycode encoding of the characters in the request address.

Affected Software

VendorProductVersion RangeStatus
GrafanaGrafana Enterprise10.1.0 < 10.1.5affected
GrafanaGrafana Enterprise10.0.0 < 10.0.9affected
GrafanaGrafana Enterprise9.5.0 < 9.5.13affected
GrafanaGrafana Enterprise9.4.0 < 9.4.17affected

Weaknesses

  • CWE-183: CWE-183

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References