CVE-2018-15727
grafana: authentication bypass knowing only a username of an LDAP or OAuth user
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
2Exploited in Wild
-Decision
Descriptions
Grafana 2.x, 3.x, and 4.x before 4.6.4 and 5.x before 5.2.3 allows authentication bypass because an attacker can generate a valid "remember me" cookie knowing only a username of an LDAP or OAuth user.
Grafana en versiones 2.x, 3.x y 4.x anteriores a la 4.6.4 y versiones 5.x anteriores a la 5.2.3 permite la omisión de autenticación debido a que un atacante puede generar una cookie "remember me" válida conociendo solo el nombre de usuario de un usuario LDAP u OAuth.
Red Hat Gluster Storage Web Administration includes a fully automated setup based on Ansible and provides deep metrics and insights into active Gluster storage pools by using the Grafana platform. Red Hat Gluster Storage Web Administration provides a dashboard view which allows an administrator to get a view of overall gluster health in terms of hosts, volumes, bricks, and other components of GlusterFS. Issues addressed include a bypass vulnerability.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2018-08-22 CVE Reserved
- 2018-08-29 CVE Published
- 2018-08-31 First Exploit
- 2024-08-05 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-287: Improper Authentication
CAPEC
References (8)
| URL | Tag | Source |
|---|---|---|
| http://www.securityfocus.com/bid/105184 | Third Party Advisory |
| URL | Date | SRC |
|---|---|---|
| https://github.com/u238/grafana-CVE-2018-15727 | 2018-08-31 | |
| https://github.com/grimbelhax/CVE-2018-15727 | 2022-03-11 |
| URL | Date | SRC |
|---|---|---|
| https://grafana.com/blog/2018/08/29/grafana-5.2.3-and-4.6.4-released-with-important-security-fix | 2019-03-05 |
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/errata/RHSA-2018:3829 | 2019-03-05 | |
| https://access.redhat.com/errata/RHSA-2019:0019 | 2019-03-05 | |
| https://access.redhat.com/security/cve/CVE-2018-15727 | 2019-01-03 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1624088 | 2019-01-03 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Grafana Search vendor "Grafana" | Grafana Search vendor "Grafana" for product "Grafana" | >= 2.0.0 <= 2.1.2 Search vendor "Grafana" for product "Grafana" and version " >= 2.0.0 <= 2.1.2" | - |
Affected
| ||||||
| Grafana Search vendor "Grafana" | Grafana Search vendor "Grafana" for product "Grafana" | >= 3.0.0 <= 3.1.1 Search vendor "Grafana" for product "Grafana" and version " >= 3.0.0 <= 3.1.1" | - |
Affected
| ||||||
| Grafana Search vendor "Grafana" | Grafana Search vendor "Grafana" for product "Grafana" | >= 4.0.0 < 4.6.4 Search vendor "Grafana" for product "Grafana" and version " >= 4.0.0 < 4.6.4" | - |
Affected
| ||||||
| Grafana Search vendor "Grafana" | Grafana Search vendor "Grafana" for product "Grafana" | >= 5.0.0 < 5.2.3 Search vendor "Grafana" for product "Grafana" and version " >= 5.0.0 < 5.2.3" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Ceph Storage Search vendor "Redhat" for product "Ceph Storage" | 3.0 Search vendor "Redhat" for product "Ceph Storage" and version "3.0" | - |
Affected
| ||||||