CVE-2023-4822: 
Grafana vulnerability analysis and mitigation

Grafana, an open-source platform for monitoring and observability, disclosed a vulnerability (CVE-2023-4822) on October 12, 2023. The vulnerability affects Grafana instances with multiple organizations, impacting versions 8.0.0 to 9.4.16, 9.5.0 to 9.5.11, 10.0.0 to 10.0.7, and 10.1.0 to 10.1.3 (Grafana Advisory).

The vulnerability allows users with Organization Admin permissions in one organization to modify permissions associated with Organization Viewer, Organization Editor, and Organization Admin roles across all organizations. This security flaw enables Organization Admins to assign or revoke any permissions they possess to any user globally. The vulnerability has been assigned a CVSS v3.1 base score of 7.2 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (NVD).

The exploitation of this vulnerability could lead to unauthorized privilege escalation, allowing Organization Admins to elevate their own permissions in any organization they are members of, or modify the permissions of other users. However, the vulnerability does not permit users to become members of organizations they don't belong to or add other users to organizations where the current user is not a member (Grafana Advisory, NetApp Advisory).

Organizations should upgrade to the following patched versions: Grafana 9.4.17 (for versions 8.x-9.4.x), 9.5.13 (for version 9.5.x), 10.0.9 (for version 10.0.x), or 10.1.5 (for version 10.1.x) (CERT-FR).