CVE-2023-1387

Grafana is an open-source platform for monitoring and observability. Starting with the 9.1 branch, Grafana introduced the ability to search for a JWT in the URL query parameter auth_token and use it as the authentication token. By enabling the "url_login" configuration option (disabled by default), a JWT might be sent to data sources. If an attacker has access to the data source, the leaked token could be used to authenticate to Grafana.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*
cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*
cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*

History

09 Jun 2023, 08:15

Type Values Removed Values Added
References
  • (MISC) https://security.netapp.com/advisory/ntap-20230609-0003/ -

Information

Published : 2023-04-26 14:15

Updated : 2024-02-28 20:13


NVD link : CVE-2023-1387

Mitre link : CVE-2023-1387

CVE.ORG link : CVE-2023-1387


JSON object : View

Products Affected

grafana

  • grafana
CWE
NVD-CWE-noinfo CWE-200

Exposure of Sensitive Information to an Unauthorized Actor