Menus displayed even though user is not authenticated

[jmatosgrafana]

If an authenticated user accesses the URL https://<grafana_instance>/dashboard/snapshot/*, he gets redirected to https://<grafana_instance>/dashboard/snapshot/*?orgId=0 instead of begin redirected to login page.

The various menus get displayed which is unexpected.
Yet no data is being returned (and a temporary Unauthorized warning pops up).

This leads to the following security assessment: CVSS score 0.0

Hence this is not a security vulnerability. But as it is confusing for the end user it can be considered a UI bug.

[ashharrison90]

hey @jmatosgrafana 👋

i'm not sure i'd expect it to redirect to the login page... i think that would be equally confusing. sounds like we need to improve the generic Snapshot not found page?

[sakjur]

Agreed, we should have better 404 routing (this should probably be redirected to the generic 404 page, but also that should probably not have visible menus for unauthenticated users when anonymous access isn’t enabled, related to #50341)

[ashharrison90]

discussed this with the team and this is expected behaviour. we need to show the left hand nav in order to surface the sign in button. snapshots are visible for unauthenticated users even when anonymous access is disabled.

[BrotherOfJhonny]

I've been trying to demonstrate that the vulnerability exists, but I believe you're just focusing on the thought, "no data has been accessed", and at no time have I described it. The vulnerability lies in the following points:

If the user has installed plugins that add new features, these features will also be displayed in the menu. Even if the session does not return anything, the attacker will be able to see these features as they will be displayed in the side menus.
Another point is that with the use of a web proxy (Burp, OWASP ZAP, etc.) an attacker can access these menus and perform a reconnaissance of the endpoints, even if it does not return data because it is not a valid session, the attacker will have a view how calls are made and which endpoints.

This flaw could be categorized as A04:2021 Insecure_Design

Understand I'm trying to contribute to the security of the system.

[jmatosgrafana]

Thank you @BrotherOfJhonny for the extra information.

We have cross-checked internally and reached the same conclusion from a security impact point of view: only panel plugins would be listed (not datasource plugins) and anyhow endpoints are public in open source software.

Nevertheless we are committed to consider any feedback that can improve our security posture: your reports enabled us to identify and track this security enhancement issue.

Do not hesitate to come back to us should we have missed something or if you have a specific exploitation scenario in mind.

[wheniwas]

zero detriment