1624088 – (CVE-2018-15727) CVE-2018-15727 grafana: authentication bypass knowing only a username of an LDAP or OAuth user

Bug 1624088 (CVE-2018-15727) - CVE-2018-15727 grafana: authentication bypass knowing only a username of an LDAP or OAuth user

Summary: CVE-2018-15727 grafana: authentication bypass knowing only a username of an ...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2018-15727
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1626399 1626400 1626401 1626866 1626867
Blocks:	1624089
TreeView+	depends on / blocked

Reported:	2018-08-30 22:11 UTC by Laura Pardo
Modified:	2021-02-16 23:08 UTC (History)
CC List:	17 users (show)
Fixed In Version:	grafana 5.2.3, grafana 4.6.4
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-06-10 10:37:05 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2018:3829	0	None	None	None	2018-12-17 17:06:22 UTC
Red Hat Product Errata	RHSA-2019:0019	0	None	None	None	2019-01-03 17:44:53 UTC

Description Laura Pardo 2018-08-30 22:11:09 UTC

A flaw was found in Grafana 2.x, 3.x, and 4.x before 4.6.4 and 5.x before 5.2.3 allows authentication bypass because an attacker can generate a valid "remember me" cookie knowing only a username of an LDAP or OAuth user.


References:
https://grafana.com/blog/2018/08/29/grafana-5.2.3-and-4.6.4-released-with-important-security-fix/

Comment 1 Siddharth Sharma 2018-08-31 11:11:04 UTC

Reading code following seem to be fixes for this

For 5.2.x: https://github.com/grafana/grafana/commit/df83bf10a225811927644bdf6265fa80bdea9137
For 4.6.x: https://github.com/grafana/grafana/commit/7baecf0d0deae0d865e45cf03e082bc0db3f28c3

Comment 4 Siddharth Sharma 2018-09-07 06:22:37 UTC

Mitigation:

As per upstream (https://grafana.com/blog/2018/08/29/grafana-5.2.3-and-4.6.4-released-with-important-security-fix)

* Switch to authentication mechanism other than LDAP or OAuth
* Grafana should be isolated from public networks

Comment 9 errata-xmlrpc 2018-12-17 17:06:21 UTC

This issue has been addressed in the following products:

  Red Hat Gluster Storage 3.4 for RHEL 7

Via RHSA-2018:3829 https://access.redhat.com/errata/RHSA-2018:3829

Comment 10 errata-xmlrpc 2019-01-03 17:44:51 UTC

This issue has been addressed in the following products:

  Red Hat Ceph Storage 3.2

Via RHSA-2019:0019 https://access.redhat.com/errata/RHSA-2019:0019

Note You need to log in before you can comment on or make changes to this bug.