CVE-2018-15727

Name of the Vulnerable Software and Affected Versions: Grafana versions 2.x through 4.x before 4.6.4 Grafana versions 5.x before 5.2.3

Description: The issue is related to authentication errors in the Grafana web tool, allowing an attacker to bypass authentication. This can be achieved by generating a valid "remember me" cookie with knowledge of only a username of an LDAP or OAuth user. The exploitation of this issue may impact the confidentiality, integrity, and availability of protected information.

Recommendations: For Grafana versions 2.x through 4.x before 4.6.4, update to version 4.6.4 or later. For Grafana versions 5.x before 5.2.3, update to version 5.2.3 or later. As a temporary workaround, consider restricting access to the github.com/grafana/grafana/pkg/api endpoint until a patch is available. Avoid using the remember me cookie feature in affected versions until the issue is resolved.