FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

Grafana -- Exposure of sensitive information to an unauthorized actor

Affected packages
9.1.0 <= grafana < 9.2.17
9.3.0 <= grafana < 9.3.13
9.4.0 <= grafana < 9.4.9
9.1.0 <= grafana9 < 9.2.17
9.3.0 <= grafana9 < 9.3.13
9.4.0 <= grafana9 < 9.4.9


VuXML ID 5e257b0d-e466-11ed-834b-6c3be5272acd
Discovery 2023-04-26
Entry 2023-04-26

Grafana Labs reports:

When setting up Grafana, there is an option to enable JWT authentication. Enabling this will allow users to authenticate towards the Grafana instance with a special header (default X-JWT-Assertion ).

In Grafana, there is an additional way to authenticate using JWT called URL login where the token is passed as a query parameter.

When using this option, a JWT token is passed to the data source as a header, which leads to exposure of sensitive information to an unauthorized party.

The CVSS score for this vulnerability is 4.2 Medium


CVE Name CVE-2023-1387