CVE-2023-1387 - OpenCVE

Grafana is an open-source platform for monitoring and observability. Starting with the 9.1 branch, Grafana introduced the ability to search for a JWT in the URL query parameter auth_token and use it as the authentication token. By enabling the "url_login" configuration option (disabled by default), a JWT might be sent to data sources. If an attacker has access to the data source, the leaked token could be used to authenticate to Grafana.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Grafana	Grafana

Configuration 1 [-]

OR	cpe:2.3:a:grafana:grafana::::::::
	cpe:2.3:a:grafana:grafana::::::::
	cpe:2.3:a:grafana:grafana::::::::

References

Link	Resource
https://github.com/grafana/bugbounty/security/advisories/GHSA-5585-m9r5-p86j	Exploit Vendor Advisory
https://grafana.com/security/security-advisories/cve-2023-1387/	Vendor Advisory
https://security.netapp.com/advisory/ntap-20230609-0003/

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GRAFANA

Published: 2023-04-26T13:47:16.914Z

Updated: 2023-04-26T13:47:16.914Z

Reserved: 2023-03-14T11:11:01.304Z

Link: CVE-2023-1387

JSON object: View

NVD Information

Status : Modified

Published: 2023-04-26T14:15:09.430

Modified: 2023-06-09T08:15:09.287

Link: CVE-2023-1387

JSON object: View

Redhat Information

No data.

CWE

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-1387", "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "state": "PUBLISHED", "assignerShortName": "GRAFANA", "dateReserved": "2023-03-14T11:11:01.304Z", "datePublished": "2023-04-26T13:47:16.914Z", "dateUpdated": "2023-04-26T13:47:16.914Z"}, "containers": {"cna": {"affected": [{"product": "Grafana", "vendor": "Grafana", "versions": [{"lessThan": "9.2.17", "status": "affected", "version": "9.1.0", "versionType": "semver"}, {"lessThan": "9.3.13", "status": "affected", "version": "9.3.0", "versionType": "semver"}, {"lessThan": "9.5.0", "status": "affected", "version": "9.4.0", "versionType": "semver"}]}, {"product": "Grafana Enterprise", "vendor": "Grafana", "versions": [{"lessThan": "9.2.17", "status": "affected", "version": "9.1.0", "versionType": "semver"}, {"lessThan": "9.3.13", "status": "affected", "version": "9.3.0", "versionType": "semver"}, {"lessThan": "9.5.0", "status": "affected", "version": "9.4.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Grafana is an open-source platform for monitoring and observability. </p><p>Starting with the 9.1 branch, Grafana introduced the ability to search for a JWT in the URL query parameter auth_token and use it as the authentication token. </p><p>By enabling the \"url_login\" configuration option (disabled by default), a JWT might be sent to data sources. If an attacker has access to the data source, the leaked token could be used to authenticate to Grafana.</p>"}], "value": "Grafana is an open-source platform for monitoring and observability. \n\nStarting with the 9.1 branch, Grafana introduced the ability to search for a JWT in the URL query parameter auth_token and use it as the authentication token. \n\nBy enabling the \"url_login\" configuration option (disabled by default), a JWT might be sent to data sources. If an attacker has access to the data source, the leaked token could be used to authenticate to Grafana.\n\n"}], "impacts": [{"capecId": "CAPEC-116", "descriptions": [{"lang": "en", "value": "CAPEC-116"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "CWE-200", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "shortName": "GRAFANA", "dateUpdated": "2023-04-26T13:47:16.914Z"}, "references": [{"url": "https://grafana.com/security/security-advisories/cve-2023-1387/"}, {"url": "https://github.com/grafana/bugbounty/security/advisories/GHSA-5585-m9r5-p86j"}, {"url": "https://security.netapp.com/advisory/ntap-20230609-0003/"}]}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*", "matchCriteriaId": "5664FC02-E4AA-41EC-8EAA-300AD2272CC2", "versionEndExcluding": "9.2.17", "versionStartIncluding": "9.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*", "matchCriteriaId": "5A544263-545D-4D86-B29F-F7FC12E9A34F", "versionEndExcluding": "9.3.13", "versionStartIncluding": "9.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*", "matchCriteriaId": "99EBCA47-A3CD-4C20-B151-300D43426EB2", "versionEndExcluding": "9.4.9", "versionStartIncluding": "9.4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Grafana is an open-source platform for monitoring and observability. \n\nStarting with the 9.1 branch, Grafana introduced the ability to search for a JWT in the URL query parameter auth_token and use it as the authentication token. \n\nBy enabling the \"url_login\" configuration option (disabled by default), a JWT might be sent to data sources. If an attacker has access to the data source, the leaked token could be used to authenticate to Grafana.\n\n"}], "id": "CVE-2023-1387", "lastModified": "2023-06-09T08:15:09.287", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 0.5, "impactScore": 3.6, "source": "security@grafana.com", "type": "Secondary"}]}, "published": "2023-04-26T14:15:09.430", "references": [{"source": "security@grafana.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/grafana/bugbounty/security/advisories/GHSA-5585-m9r5-p86j"}, {"source": "security@grafana.com", "tags": ["Vendor Advisory"], "url": "https://grafana.com/security/security-advisories/cve-2023-1387/"}, {"source": "security@grafana.com", "url": "https://security.netapp.com/advisory/ntap-20230609-0003/"}], "sourceIdentifier": "security@grafana.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-200"}], "source": "security@grafana.com", "type": "Secondary"}]}