Where an attacker has control on a datasource, the JWT token can be leaked to the data source when the GF_AUTH_JWT_URL_TOKEN is set to true. References: https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/jwt/?mkt_tok=MzU2LVlGRy0zODkAAAGLFetKhj7bubnwJdat7dsOUsknnKYqQ9qYPFzMoSlKt-Q2six9bJNYh9F9jYhkMcc7sxu_Zgchs7ypuWq1wvGij0ouoSHS40eCT0UURdmmvRo#url-login
Created grafana tracking bugs for this issue: Affects: fedora-all [bug 2203041]
This issue has been addressed in the following products: Red Hat Ceph Storage 6.1 Via RHSA-2023:7741 https://access.redhat.com/errata/RHSA-2023:7741
This issue has been addressed in the following products: Red Hat Ceph Storage 5.3 Via RHSA-2024:0746 https://access.redhat.com/errata/RHSA-2024:0746