Information Disclosure

2023-05-0204:31:51

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

information disclosure

jwt

auth_jwt.go

proxy requests

data sources

0.001 Low

EPSS

Percentile

46.5%

JSON

github.com/grafana/grafana is vulnerable to Information Disclosure. The vulnerability exists in the initContextWithJWT function of auth_jwt.go because the JWT URL-login flow leaks tokens to data sources through request parameters in proxy requests.

CPENameOperatorVersion
github.com/grafana/grafanalev9.3.11
github.com/grafana/grafanalev9.2.15
github.com/grafana/grafanalev9.4.7
github.com/grafana/grafanalev9.3.11
github.com/grafana/grafanalev9.2.15
github.com/grafana/grafanalev9.4.7

Name	Operator	Version
github.com/grafana/grafana	le	v9.3.11
github.com/grafana/grafana	le	v9.2.15
github.com/grafana/grafana	le	v9.4.7
github.com/grafana/grafana	le	v9.3.11
github.com/grafana/grafana	le	v9.2.15
github.com/grafana/grafana	le	v9.4.7