LDAP & OAuth login vulnerability (CVE-2018-558213)
On the 20th of August at 1800 CEST we were contacted about a potential security issue with the “remember me” cookie Grafana sets upon login. The issue targeted users without a local Grafana password (LDAP & OAuth users) and enabled a potential attacker to generate a valid cookie knowing only a username. We immediately recognized the high severity of this vulnerability and quickly developed a patch for 5.x and 4.x.
Grafana releases 2.0 through 5.2.2 are affected by this vulnerability.
Solutions and mitigations
All installations which use the Grafana LDAP or OAuth authentication features must be upgraded as soon as possible. If you cannot upgrade, you should switch authentication mechanisms or put additional protections in front of Grafana such as a reverse proxy.
CVE ID: CVE-2018-558213
We would like to thank Sebastian Solnica for reporting this issue.