Grafana 2.x, 3.x, and 4.x before 4.6.4 and 5.x before 5.2.3 allows authentication bypass because an attacker can generate a valid remember me cookie knowing only a username of an LDAP or OAuth user.
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Grafana | Grafana | 2.0.0 (including) | 2.1.2 (including) |
Grafana | Grafana | 3.0.0 (including) | 3.1.1 (including) |
Grafana | Grafana | 4.0.0 (including) | 4.6.4 (excluding) |
Grafana | Grafana | 5.0.0 (including) | 5.2.3 (excluding) |