Identity spoofing

  • What Grafana version and what operating system are you using?
    7.1.5, the free download version.

  • What are you trying to achieve?
    Would like to report a security issue.

  • How are you trying to achieve it?
    The ldap.toml is correctly setup. User can authenticate through LDAP to Grafana.
    A valid user Staff ( one day updates himself as Manager ( and saves it. He then tricks the Grafana admin to believe his Manager has trouble viewing some sensitive Grafana folders. The Grafana admin checks those sensitive folders and adds Manager back. The naughty Staff is then able to view the sensitive folders the next time he logs in as usual.

  • What happened?
    Because Grafana allows updates of identity fields in the Preference page, spoofing is possible.

  • What did you expect to happen?
    I expect certain user identities like username should not be freely updatable, despite the LDAP fields are sync’ed every time.

  • Can you copy/paste the configuration(s) that you are having problems with?
    Not necessary I suppose.

  • Did you receive any errors in the Grafana UI or in related logs? If so, please tell us exactly what they were.
    Not at all.

  • Did you follow any online instructions? If so, what is the URL?

Thank you team

Found an option in v8.5.0 to disable the user profile page. Thanks all.