Description
Viewing a snapshot (or any public route such as the 404 page) as an unauthenticated user shows extraneous items in the Navbar:
Search, Starred and Dashboards should not be visible as there's nothing an unauthenticated user can do with them. Similarly clicking the Grafana logo redirects to the base url which throws an Unauthorized error. This should probably redirect to /login.
Any fix needs to bear in mind anonymous auth 👍
Original report
If an unauthenticated user accesses the URL https://<grafana_instance>/dashboard/snapshot/{{constructor.constructor'/.. /.. /.. /.. /.. /.. /.. /.. /etc/passwd?orgId=1 he is displayed a generic 404 "Page not found" error with a menu on the left side instead of being redirected to the login page.
Yet no data is being returned when interacting with the menu (and a temporary Unauthorized warning pops up).
This leads to the following security assessment: CVSS score 0.0
Hence this is not a security vulnerability. But as it is confusing for the end user it can be considered a UI bug.
Metadata
Assignees
Type
Projects
Status
🚀 Done
