Grafana before 4.6.4 and 5.x before 5.2.3 allows authentication bypass because an attacker can generate a valid "remember me" cookie knowing only a username of an LDAP or OAuth user.

Specific Go Packages Affected

github.com/grafana/grafana/pkg/api

References

• https://nvd.nist.gov/vuln/detail/CVE-2018-15727
• grafana/grafana@7baecf0
• grafana/grafana@df83bf1
• https://access.redhat.com/errata/RHSA-2018:3829
• https://access.redhat.com/errata/RHSA-2019:0019
• https://grafana.com/blog/2018/08/29/grafana-5.2.3-and-4.6.4-released-with-important-security-fix/
• https://www.securityfocus.com/bid/105184