CVE-2023-1387

MEDIUM4.2

Grafana is an open-source platform for monitoring and observability

Published Apr 26, 2023

Modified 11 months ago

No fix available

Details

Grafana is an open-source platform for monitoring and observability.

Starting with the 9.1 branch, Grafana introduced the ability to search for a JWT in the URL query parameter auth_token and use it as the authentication token.

By enabling the "url_login" configuration option (disabled by default), a JWT might be sent to data sources. If an attacker has access to the data source, the leaked token could be used to authenticate to Grafana.

References

WEBhttps://github.com/grafana/bugbounty/security/advisories/GHSA-5585-m9r5-p86j WEBhttps://grafana.com/security/security-advisories/cve-2023-1387/WEBhttps://security.netapp.com/advisory/ntap-20230609-0003/ADVISORYhttps://www.cve.org/CVERecord?id=CVE-2023-1387

CVSS Analysis

CVSS v3.1

4.2

Exploitability

Attack Vector

NetworkAV:N

Attack Complexity

HighAC:H

Privileges Required

HighPR:H

User Interaction

RequiredUI:R

Scope

UnchangedS:U

Impact

Confidentiality

HighC:H

Integrity

NoneI:N

Availability

NoneA:N

4.2/CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N

Weakness Type (CWE)

Information Disclosure

CWE-200

Information Exposure

Ecosystems

Timeline

PublishedApr 26, 2023

ModifiedFeb 13, 2025

CVE-2023-1387 | Mondoo Vulnerability Intelligence