New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Menus displayed even though user is not authenticated #50336
Comments
hey @jmatosgrafana 👋 i'm not sure i'd expect it to redirect to the login page... i think that would be equally confusing. sounds like we need to improve the generic |
Agreed, we should have better 404 routing (this should probably be redirected to the generic 404 page, but also that should probably not have visible menus for unauthenticated users when anonymous access isn’t enabled, related to #50341) |
discussed this with the team and this is expected behaviour. we need to show the left hand nav in order to surface the sign in button. snapshots are visible for unauthenticated users even when anonymous access is disabled. |
I've been trying to demonstrate that the vulnerability exists, but I believe you're just focusing on the thought, "no data has been accessed", and at no time have I described it. The vulnerability lies in the following points: If the user has installed plugins that add new features, these features will also be displayed in the menu. Even if the session does not return anything, the attacker will be able to see these features as they will be displayed in the side menus. This flaw could be categorized as A04:2021 Insecure_Design Understand I'm trying to contribute to the security of the system. |
Thank you @BrotherOfJhonny for the extra information. We have cross-checked internally and reached the same conclusion from a security impact point of view: only panel plugins would be listed (not datasource plugins) and anyhow endpoints are public in open source software. Nevertheless we are committed to consider any feedback that can improve our security posture: your reports enabled us to identify and track this security enhancement issue. Do not hesitate to come back to us should we have missed something or if you have a specific exploitation scenario in mind. |
zero detriment |
If an authenticated user accesses the URL
https://<grafana_instance>/dashboard/snapshot/*
, he gets redirected tohttps://<grafana_instance>/dashboard/snapshot/*?orgId=0
instead of begin redirected to login page.The various menus get displayed which is unexpected.
Yet no data is being returned (and a temporary Unauthorized warning pops up).
This leads to the following security assessment: CVSS score 0.0
Hence this is not a security vulnerability. But as it is confusing for the end user it can be considered a UI bug.
The text was updated successfully, but these errors were encountered: