Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Privilege Escalation Bug with Grafana Plugin

Description

When using the OpenNMS datasource with Grafana (see https://www.opennms.org/wiki/Grafana), the Grafana user can access the OpenNMS session used by the datasource. In certain cases this may lead to privilege escalation.

To reproduce:

1) Configure the OpenNMS datasource in Grafana using 'Proxy' mode
2) Make both OpenNMS and Grafana accessible via the same hostname
3) Login to Grafana using the hostname from 2) and access a dashboard that uses the OpenNMS datasource
4) Access OpenNMS using the hostname from 2)

In 4), you should have a session opened with the user configured in the Grafana datasource

Acceptance / Success Criteria

None

Lucidchart Diagrams

Activity

Show:

Jesse White December 20, 2017 at 12:57 AM

John Blake December 13, 2017 at 3:58 PM

This was not added to 2017.1.2.

Customer upgraded and :

create-session="never"

is still not in the file.

 

fooker May 24, 2017 at 4:04 AM

Jesse White May 17, 2017 at 12:15 PM

I can confirm that Grafana does not properly filter the "Set-Cookie" headers returned from our REST API.

We'll look at providing a way of filtering these out on our end, or avoid session creation completely in some cases.

Robin Andries March 29, 2017 at 5:03 AM

I'm still facing this issue.
Grafana 4.1.2-4.2
OpenNMS 18.0.4
Both running on the same host.

Already raised a bug at:
https://github.com/grafana/grafana/issues/7935
Similiar to:
https://github.com/grafana/grafana/issues/3845

Fixed

Details

Assignee

Reporter

Labels

Components

Sprint

Fix versions

Affects versions

Priority

Parent

PagerDuty

Created January 21, 2016 at 8:43 AM
Updated December 20, 2017 at 3:57 PM
Resolved December 20, 2017 at 3:57 PM