Grafana Labs reports:
When setting up Grafana, there is an option to enable
JWT authentication. Enabling this will allow users to authenticate towards
the Grafana instance with a special header (default X-JWT-Assertion
).
In Grafana, there is an additional way to authenticate using JWT called
URL login where the token is passed as a query parameter.
When using this option, a JWT token is passed to the data source as a header,
which leads to exposure of sensitive information to an unauthorized party.
The CVSS score for this vulnerability is 4.2 MediumRead More