Headline
CVE-2022-32276: Menus displayed even though user is not authenticated · Issue #50336 · grafana/grafana
** DISPUTED ** Grafana 8.4.3 allows unauthenticated access via (for example) a /dashboard/snapshot/*?orgId=0 URI. NOTE: the vendor considers this a UI bug, not a vulnerability.
I’ve been trying to demonstrate that the vulnerability exists, but I believe you’re just focusing on the thought, "no data has been accessed", and at no time have I described it. The vulnerability lies in the following points:
If the user has installed plugins that add new features, these features will also be displayed in the menu. Even if the session does not return anything, the attacker will be able to see these features as they will be displayed in the side menus.
Another point is that with the use of a web proxy (Burp, OWASP ZAP, etc.) an attacker can access these menus and perform a reconnaissance of the endpoints, even if it does not return data because it is not a valid session, the attacker will have a view how calls are made and which endpoints.
This flaw could be categorized as A04:2021 Insecure_Design
Understand I’m trying to contribute to the security of the system.
Related news
Grafana 8.4.3 allows reading files via (for example) a /dashboard/snapshot/%7B%7Bconstructor.constructor'/.. /.. /.. /.. /.. /.. /.. /.. /etc/passwd URI.