CVE-2023-6152: 
Grafana vulnerability analysis and mitigation

CVE-2023-6152 is a vulnerability in Grafana that was discovered and disclosed on February 13, 2024. The vulnerability affects Grafana versions up to 2.5.0, 10.0.0, 10.1.0, 10.2.0, and 10.3.0. The issue allows users to bypass email verification after initial signup, where the configuration option 'verify_email_enabled' only validates email during the initial signup process (Grafana Advisory, GitHub Advisory).

The vulnerability stems from an implementation flaw in Grafana's email verification system. When a user changes their email address after the initial signup and verification process, the system does not require verification for the new email address in the profile settings. The issue is related to the PUT /api/user handler. The CVSS v3.1 base score is 5.4 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L, indicating network accessibility, low attack complexity, and low privileges required (GitHub Advisory).

The vulnerability has two main impacts: First, it allows users to bypass email verification by changing their email address after initial signup without requiring verification of the new address. Second, it can be exploited to prevent legitimate owners of email addresses from signing up, as users can claim email addresses they don't own (GitHub Advisory).

The vulnerability has been patched in multiple Grafana versions: 9.5.16, 10.0.11, 10.1.7, 10.2.4, and 10.3.3. Organizations are advised to upgrade to these patched versions to address the vulnerability (Grafana Advisory).