CVE-2023-4399: 
Grafana vulnerability analysis and mitigation

Grafana Enterprise versions 9.4.0 through 9.4.17, 9.5.0 through 9.5.13, 10.0.0 through 10.0.9, and 10.1.0 through 10.1.5 contain a security vulnerability where the Request security deny list feature can be bypassed. This feature allows administrators to configure Grafana to prevent calls to specific hosts, however, the restriction can be circumvented by using punycode encoding of characters in the request address. The vulnerability was discovered by leixiao of Syclover Security Team and was publicly disclosed on October 12, 2023 (Grafana Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 7.2 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. This indicates that the vulnerability requires network access and high privileges but no user interaction, with potential high impacts to confidentiality, integrity, and availability. The vulnerability is specifically related to the Request security deny list feature in Grafana Enterprise, where the protection mechanism can be bypassed through punycode encoding of characters in request addresses (NVD, NetApp Advisory).

Successful exploitation of this vulnerability could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS). The vulnerability affects the security boundary controls of Grafana Enterprise installations, potentially allowing attackers to bypass network restrictions put in place by administrators (NetApp Advisory).

Organizations running affected versions of Grafana Enterprise should upgrade to the following fixed versions: 9.4.17 or later for the 9.4.x series, 9.5.13 or later for the 9.5.x series, 10.0.9 or later for the 10.0.x series, or 10.1.5 or later for the 10.1.x series (Grafana Advisory).