7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.001 Low
EPSS
Percentile
40.8%
github.com/grafana/grafana is vulnerable to Information Disclosure. The vulnerability exists in the initContextWithJWT
function of auth_jwt.go
because the JWT URL-login flow leaks tokens to data sources through request parameters in proxy requests.
github.com/grafana/bugbounty/security/advisories/GHSA-5585-m9r5-p86j
github.com/grafana/grafana/commit/262d642d77dfb9556eaac53ba7355506cfcb58e5
github.com/grafana/grafana/commit/561ec5aab756b6fa6cc5163a80c47fe6ff83964e
github.com/grafana/grafana/commit/7a1a8b7a868753c214390da58d7fc833ae17fe72
github.com/grafana/grafana/commit/b22be8f498a617be2ee94ea9e5394852e223e5ac
github.com/grafana/grafana/commit/e89a2b136a5a2ca5951acdf3a1fc88ad9d5f583d
grafana.com/security/security-advisories/cve-2023-1387/
security.netapp.com/advisory/ntap-20230609-0003/
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.001 Low
EPSS
Percentile
40.8%