FreeBSD : grafana -- LDAP and OAuth login vulnerability (1f8d5806-ac51-11e8-9cb6-10c37b4ac2ea)

high Nessus Plugin ID 112236

Language:

Synopsis

The remote FreeBSD host is missing one or more security-related updates.

Description

Grafana Labs reports :

On the 20th of August at 1800 CEST we were contacted about a potential security issue with the 'remember me' cookie Grafana sets upon login. The issue targeted users without a local Grafana password (LDAP & OAuth users) and enabled a potential attacker to generate a valid cookie knowing only a username.

All installations which use the Grafana LDAP or OAuth authentication features must be upgraded as soon as possible. If you cannot upgrade, you should switch authentication mechanisms or put additional protections in front of Grafana such as a reverse proxy.

Solution

Update the affected packages.

See Also

http://www.nessus.org/u?70768992

http://www.nessus.org/u?189b9540

Plugin Details

Severity: High

ID: 112236

File Name: freebsd_pkg_1f8d5806ac5111e89cb610c37b4ac2ea.nasl

Version: 1.3

Type: local

Published: 9/4/2018

Updated: 8/13/2024

Supported Sensors: Nessus

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:grafana3, p-cpe:/a:freebsd:freebsd:grafana4, cpe:/o:freebsd:freebsd, p-cpe:/a:freebsd:freebsd:grafana2, p-cpe:/a:freebsd:freebsd:grafana5

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Exploit Ease: No known exploits are available

Patch Publication Date: 8/31/2018

Vulnerability Publication Date: 8/20/2018

Reference Information

CVE: CVE-2018-558213