Grafana Labs reports:
+++ +When using the forget password on the login page, a POST request is made + to the
+/api/user/password/sent-reset-emailURL. When the username + or email does not exist, a JSON response contains a “user not found” message. +The CVSS score for this vulnerability is 5.3 Moderate
+
Grafana Labs reports:
+++ +Grafana admins can invite other members to the organization they are + an admin for. When admins add members to the organization, non existing users + get an email invite, existing members are added directly to the organization. + When an invite link is sent, it allows users to sign up with whatever + username/email address the user chooses and become a member of the organization. +
+The CVSS score for this vulnerability is 6.4 Moderate
+
Grafana Labs reports:
+++ +Internal security audit identified a race condition in the Grafana codebase, + which allowed an unauthenticated user to query an arbitrary endpoint in Grafana. + A race condition in the + HTTP context creation could make a HTTP request being assigned + the authentication/authorization middlewares of another call. Under heavy load + it is possible that a call protected by a privileged middleware receives instead + the middleware of a public query. As a result, an unauthenticated user can + successfully query protected endpoints.
+The CVSS score for this vulnerability is 9.8 Critical
+
Grafana Labs reports:
+++ +On July 4th as a result of an internal security audit we have discovered + a bypass in the plugin signature verification by exploiting a versioning flaw.
+We believe that this vulnerability is rated at CVSS 6.1 + (CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L).
+
Grafana Labs reports:
+++ +On June 26 a security researcher contacted Grafana Labs to disclose + a vulnerability with the GitLab data source plugin that could leak the API key + to GitLab. After further analysis the vulnerability impacts data source + and plugin proxy endpoints with authentication tokens but under some conditions.
+We believe that this vulnerability is rated at CVSS 4.9 + (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)
+
Grafana Labs reports:
+++ +On September 7th as a result of an internal security audit we have discovered + that Grafana could leak the authentication cookie of users to plugins. After + further analysis the vulnerability impacts data source and plugin proxy + endpoints under certain conditions.
+We believe that this vulnerability is rated at CVSS 6.8 + (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H)
+
Grafana Labs reports:
+++ +On September 7, as a result of an internal security audit, we discovered + a security vulnerability in Grafana’s basic authentication related to the usage + of username and email address.
+n Grafana, a user’s username and email address are unique fields, which + means no other user can have the same username or email address as another user. +
+In addition, a user can have an email address as a username, and the Grafana + login allows users to sign in with either username or email address. This + creates an unusual behavior, where user_1 can register with one email + address and user_2 can register their username as user_1’s + email address. As a result, user_1 would be prevented from signing + in to Grafana, since user_1 password won’t match with user_2 + email address.
+The CVSS score for this vulnerability is 4.3 moderate + (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L).
+