Описание
Grafana 2.x, 3.x, and 4.x before 4.6.4 and 5.x before 5.2.3 allows authentication bypass because an attacker can generate a valid "remember me" cookie knowing only a username of an LDAP or OAuth user.
Меры по смягчению последствий
As per upstream (https://grafana.com/blog/2018/08/29/grafana-5.2.3-and-4.6.4-released-with-important-security-fix)
- Switch to authentication mechanism other than LDAP or OAuth
- Grafana should be isolated from public networks
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Ceph Storage 2 | grafana | Affected | ||
| Red Hat OpenStack Platform 8 (Liberty) Operational Tools | grafana | Will not fix | ||
| Red Hat OpenStack Platform 9 (Mitaka) Operational Tools | grafana | Will not fix | ||
| Red Hat Ceph Storage 3.2 | grafana | Fixed | RHSA-2019:0019 | 03.01.2019 |
| Red Hat Gluster Storage 3.4 for RHEL 7 | grafana | Fixed | RHSA-2018:3829 | 17.12.2018 |
| Red Hat Gluster Storage 3.4 for RHEL 7 | tendrl-ansible | Fixed | RHSA-2018:3829 | 17.12.2018 |
| Red Hat Gluster Storage 3.4 for RHEL 7 | tendrl-api | Fixed | RHSA-2018:3829 | 17.12.2018 |
| Red Hat Gluster Storage 3.4 for RHEL 7 | tendrl-gluster-integration | Fixed | RHSA-2018:3829 | 17.12.2018 |
| Red Hat Gluster Storage 3.4 for RHEL 7 | tendrl-monitoring-integration | Fixed | RHSA-2018:3829 | 17.12.2018 |
| Red Hat Gluster Storage 3.4 for RHEL 7 | tendrl-node-agent | Fixed | RHSA-2018:3829 | 17.12.2018 |
Показывать по
Дополнительная информация
Статус:
5.5 Medium
CVSS3
Связанные уязвимости
Grafana 2.x, 3.x, and 4.x before 4.6.4 and 5.x before 5.2.3 allows authentication bypass because an attacker can generate a valid "remember me" cookie knowing only a username of an LDAP or OAuth user.
Grafana 2.x, 3.x, and 4.x before 4.6.4 and 5.x before 5.2.3 allows authentication bypass because an attacker can generate a valid "remember me" cookie knowing only a username of an LDAP or OAuth user.
Grafana 2.x, 3.x, and 4.x before 4.6.4 and 5.x before 5.2.3 allows aut ...
Уязвимость веб-инструмента представления данных Grafana, связанная с ошибками аутентификации, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защиищаемой информации
5.5 Medium
CVSS3