logo

Database

Authentication mechanism absence or evasion In github.com/grafana/grafana

Description

Grafana Authentication Bypass Grafana before 4.6.4 and 5.x before 5.2.3 allows authentication bypass because an attacker can generate a valid "remember me" cookie knowing only a username of an LDAP or OAuth user.

Specific Go Packages Affected

github.com/grafana/grafana/pkg/api

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2018-157272. NVD-2018-157273. OSV-2018-157274. GHSA-rgjg-66cx-5x9m5. GCVE-2018-157276. access.redhat.com7. access.redhat.com

References

1. https://github.com/grafana/grafana/commit/7baecf0d0deae0d865e45cf03e082bc0db3f28c32. https://github.com/grafana/grafana/commit/df83bf10a225811927644bdf6265fa80bdea91373. https://grafana.com/blog/2018/08/29/grafana-5.2.3-and-4.6.4-released-with-important-security-fix4. https://www.securityfocus.com/bid/1051845. https://github.com/u238/grafana-CVE-2018-157276. https://grafana.com/blog/2018/08/29/grafana-5.2.3-and-4.6.4-released-with-important-security-fix/

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.