Jmatosgrafana

**Name of the Vulnerable Software and Affected Versions** Grafana version 8.4.3 **Description** The issue in Grafana is related to the possibility of bypassing the authentication procedure. Exploitation of this issue may allow a remote attacker to elevate their privileges by sending a specially crafted HTTP request. The problem is also described as allowing the reading of files via a specific URI, such as "/dashboard/snapshot/%7B%7Bconstructor.constructor'/../../../../../../etc/passwd". However, the vendor's position is that there is no vulnerability, as this request yields a benign error page, not the content of /etc/passwd. **Recommendations** For Grafana version 8.4.3, consider restricting access to the /dashboard/snapshot/ endpoint to minimize the risk of exploitation. As a temporary workaround, avoid using the `constructor.constructor` variable in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.