CVE-2018-15727 — Improper Authentication in Grafana Grafana

CWE-287 — Improper Authentication8 documents6 sources

Severity

9.8CRITICALNVD

EPSS

79.6%

top 0.91%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Grafana Grafana Grafana Redhat Ceph Storage

Timeline

PublishedAug 29

Latest updateAug 21

Description

Grafana 2.x, 3.x, and 4.x before 4.6.4 and 5.x before 5.2.3 allows authentication bypass because an attacker can generate a valid "remember me" cookie knowing only a username of an LDAP or OAuth user.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶NVDgrafana/grafana4.0.0 — 4.6.4+3

▶Gogithub.com/grafana_grafana5.0.0+incompatible — 5.2.3+incompatible+3

▶NVDredhat/ceph_storage3.0

Patches

Patch: grafana.com ↗Patch: grafana.com ↗

🔴Vulnerability Details

OSV

Grafana Authentication Bypass in github.com/grafana/grafana↗2024-08-21

▶

GHSA

Grafana Authentication Bypass↗2022-02-15

▶

OSV

Grafana Authentication Bypass↗2022-02-15

▶

CVEList

CVE-2018-15727: Grafana 2↗2018-08-29

▶

OSV

CVE-2018-15727: Grafana 2↗2018-08-29

▶

📋Vendor Advisories

Red Hat

grafana: authentication bypass knowing only a username of an LDAP or OAuth user↗2018-08-29

▶

💬Community

Bugzilla

CVE-2018-15727 grafana: authentication bypass knowing only a username of an LDAP or OAuth user↗2018-08-30

▶