An authentication bypass vulnerability was found in InfluxDB. By default, when using JWT authentication, InfluxDB does not generate a signing secret or state in the documentation that a JWT secret must be generated. If InfluxDB is left in the default state, this flaw allows an attacker to generate their own JWT token and log into the InfluxDBinstance, potentially escalating privileges and gaining access to sensitive information.
For versions before 1.7.6, as per the documentation updated by influxdb, ensure that a default shared-secret has be defined when enabling JWT authentication:
Versions including the fix will return an error if the secret is left empty.