CVE-2023-1387: https://github.com/grafana/bugbounty/security/advisories/GHSA-5585-m9r5-p86j Grafana is an open-source platform for monitoring and observability. Starting with the 9.1 branch, Grafana introduced the ability to search for a JWT in the URL query parameter auth_token and use it as the authentication token. By enabling the "url_login" configuration option (disabled by default), a JWT might be sent to data sources. If an attacker has access to the data source, the leaked token could be used to authenticate to Grafana. Please bump to 9.4.9.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=090be2cd827a3689028a7b74c4ef3ab93d6c8f98 commit 090be2cd827a3689028a7b74c4ef3ab93d6c8f98 Author: Patrick Lauer <patrick@gentoo.org> AuthorDate: 2023-04-28 08:10:01 +0000 Commit: Patrick Lauer <patrick@gentoo.org> CommitDate: 2023-04-28 08:10:41 +0000 www-apps/grafana-bin: Bump Bug: https://bugs.gentoo.org/905208 Signed-off-by: Patrick Lauer <patrick@gentoo.org> www-apps/grafana-bin/Manifest | 5 +- ...bin-9.3.11.ebuild => grafana-bin-9.3.13.ebuild} | 0 ...a-bin-9.4.7.ebuild => grafana-bin-9.4.9.ebuild} | 0 www-apps/grafana-bin/grafana-bin-9.5.1.ebuild | 67 ++++++++++++++++++++++ 4 files changed, 70 insertions(+), 2 deletions(-)
