Miggo Logo
Miggo Vulnerability Database
CVE-2018-15727

CVE-2018-15727: Grafana Authentication Bypass

9.8

CVSS Score
3.0

Basic Information

CVE ID
CVE-2018-15727
GHSA ID
GHSA-rgjg-66cx-5x9m
EPSS Score
0.98908%
CWE
CWE-287
Published
2/15/2022
Updated
10/2/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/grafana/grafanago< 4.6.44.6.4
github.com/grafana/grafanago>= 5.0.0, < 5.2.35.2.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The core vulnerability stemmed from two key points: 1) In login.go, the cookie validation used a weak signing key (user.Rands + user.Password) that became predictable for LDAP/OAuth users due to empty password fields. 2) In user.go, the user creation logic didn't properly initialize Rands/Salt for passwordless users, leaving the signing key components empty. The commits show fixes adding Rands/Salt generation for all users and validation of signing key length, confirming these were the vulnerable areas.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*r***n* ***or* *.*.* *n* *.x ***or* *.*.* *llows *ut**nti**tion *yp*ss ****us* *n *tt**k*r **n **n*r*t* * v*li* "r*m*m**r m*" *ooki* knowin* only * us*rn*m* o* *n L**P or O*ut* us*r. ### Sp**i*i* *o P**k***s *****t** *it*u*.*om/*r***n*/*r***n*/pk*/*

Reasoning

T** *or* vuln*r**ility st*mm** *rom two k*y points: *) In `lo*in.*o`, t** *ooki* `v*li**tion` us** * w**k si*nin* k*y (`us*r.R*n*s` + `us*r.P*sswor*`) t**t ****m* pr**i*t**l* *or L**P/O*ut* us*rs *u* to *mpty p*sswor* *i*l*s. *) In `us*r.*o`, t** us*