摘要:
Grafana is an open-source platform for monitoring and observability. Starting with the 9.1 branch, Grafana introduced the ability to search for a JWT in the URL query parameter auth_token and use it as the authentication token. By enabling the url_login configuration option (disabled by default), a JWT might be sent to data sources. If an attacker has access to the data source, the leaked token could be used to authenticate to Grafana.
安全等级: Low
公告ID: KylinSec-SA-2023-1330
发布日期: 2023年5月11日
关联CVE: CVE-2023-1387
Grafana is an open-source platform for monitoring and observability. Starting with the 9.1 branch, Grafana introduced the ability to search for a JWT in the URL query parameter auth_token and use it as the authentication token. By enabling the url_login configuration option (disabled by default), a JWT might be sent to data sources. If an attacker has access to the data source, the leaked token could be used to authenticate to Grafana.
| cve名称 | 产品 | 组件 | 是否受影响 |
|---|---|---|---|
| CVE-2023-1387 | KY3.4-4A | grafana | Unaffected |
| CVE-2023-1387 | KY3.4-5A | grafana | Unaffected |
| CVE-2023-1387 | KY3.5.1 | grafana | Unaffected |
| CVE-2023-1387 | KY3.5.2 | grafana | Unaffected |
