CVE-2023-1387: 
Grafana vulnerability analysis and mitigation

A vulnerability was discovered in Grafana versions 9.1.0 through versions prior to 9.5.1, 9.5.0, 9.4.9, 9.3.13, and 9.2.17, identified as CVE-2023-1387. The vulnerability relates to JWT token leakage when using the URL login feature. When the 'url_login' configuration option is enabled (though disabled by default), JWT tokens passed as query parameters could be leaked to data sources during proxy requests (Grafana Advisory).

The vulnerability occurs in Grafana's JWT authentication mechanism, specifically in the URL login flow. When using URL LOGIN functionality, authentication tokens are passed as query parameters using the 'auth_token' parameter. While the token is used for authentication to Grafana, it is not removed from the proxied request and instead gets forwarded to the target data source. This implementation flaw exists in the URL token retrieval process and the backend service handling (GitHub Advisory). The vulnerability has been assigned a CVSS score of 7.5 (HIGH) with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (NetApp Advisory).

The successful exploitation of this vulnerability could lead to unauthorized access to Grafana with the privileges of the victim user. If an attacker has access to the data source, they could capture the leaked JWT token and use it to authenticate to Grafana, potentially accessing sensitive information for as long as the JWT remains valid. The JWT itself may also contain sensitive information as it is an ID_TOKEN (GitHub Advisory).

The vulnerability has been fixed in Grafana versions 9.5.1, 9.5.0, 9.4.9, 9.3.13, and 9.2.17. Users are advised to upgrade to these patched versions to address the security issue (Grafana Advisory).