HomePentest-Tools.com Logo

Grafana 9.1.0 < 9.2.17, 9.3.x < 9.3.13, 9.4.x < 9.4.9 Information Disclosure Vulnerability CVE-2023-1387

Severity
CVSSv3 Score
7.5
Vulnerability description

Grafana is prone to an information disclosure vulnerability.

Risk description

Starting with the 9.1 branch, Grafana introduced the ability to search for a JWT in the URL query parameter auth_token and use it as the authentication token. By enabling the url_login configuration option (disabled by default), a JWT might be sent to data sources. If an attacker has access to the data source, the leaked token could be used to authenticate to Grafana.

Recommendation

Update to version 9.2.17, 9.3.13, 9.4.9 or later.

Codename
Not available
Detectable with
Network Scanner
Scan engine
OpenVAS
Exploitable with Sniper
No
CVE Published
Apr 26, 2023
Detection added at
Software Type
Not available
Vendor
Not available
Product
Not available