Uploaded image for project: 'OpenNMS'
  1. OpenNMS
  2. NMS-8093

Privilege Escalation Bug with Grafana Plugin

    XMLWordPrintable

Details

    • Horizon - May 17th, Horizon - May 24th, Horizon - December 14th, Horizon - December 20th

    Description

      When using the OpenNMS datasource with Grafana (see https://www.opennms.org/wiki/Grafana), the Grafana user can access the OpenNMS session used by the datasource. In certain cases this may lead to privilege escalation.

      To reproduce:

      1) Configure the OpenNMS datasource in Grafana using 'Proxy' mode
      2) Make both OpenNMS and Grafana accessible via the same hostname
      3) Login to Grafana using the hostname from 2) and access a dashboard that uses the OpenNMS datasource
      4) Access OpenNMS using the hostname from 2)

      In 4), you should have a session opened with the user configured in the Grafana datasource

      Attachments

        Activity

          People

            j-white Jesse White
            tarus Tarus Balog
            Votes:
            1 Vote for this issue
            Watchers:
            6 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: