A flaw was found in Grafana 2.x, 3.x, and 4.x before 4.6.4 and 5.x before 5.2.3 allows authentication bypass because an attacker can generate a valid "remember me" cookie knowing only a username of an LDAP or OAuth user. References: https://grafana.com/blog/2018/08/29/grafana-5.2.3-and-4.6.4-released-with-important-security-fix/
Reading code following seem to be fixes for this For 5.2.x: https://github.com/grafana/grafana/commit/df83bf10a225811927644bdf6265fa80bdea9137 For 4.6.x: https://github.com/grafana/grafana/commit/7baecf0d0deae0d865e45cf03e082bc0db3f28c3
Mitigation: As per upstream (https://grafana.com/blog/2018/08/29/grafana-5.2.3-and-4.6.4-released-with-important-security-fix) * Switch to authentication mechanism other than LDAP or OAuth * Grafana should be isolated from public networks
This issue has been addressed in the following products: Red Hat Gluster Storage 3.4 for RHEL 7 Via RHSA-2018:3829 https://access.redhat.com/errata/RHSA-2018:3829
This issue has been addressed in the following products: Red Hat Ceph Storage 3.2 Via RHSA-2019:0019 https://access.redhat.com/errata/RHSA-2019:0019