Grafana — Exposure of sensitive information to an unauthorized actor
Discription

Grafana Labs reports:

When setting up Grafana, there is an option to enable

JWT authentication. Enabling this will allow users to authenticate towards
the Grafana instance with a special header (default X-JWT-Assertion
).
In Grafana, there is an additional way to authenticate using JWT called

URL login where the token is passed as a query parameter.
When using this option, a JWT token is passed to the data source as a header,
which leads to exposure of sensitive information to an unauthorized party.
The CVSS score for this vulnerability is 4.2 MediumRead More

References

https://grafana.com/security/security-advisories/cve-2023-1387/

7.5 High

CVSS3

  • Attack Vector
  • Attack Complexity
  • Privileges Required
  • User Interaction
  • Scope
  • Confidentiality Impact
  • Integrity Impact
  • Availability Impact
  • Network
  • Low
  • None
  • None
  • Unchanged
  • None
  • None
  • High

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Back to Main
Subscribe for the latest news: