Uploaded image for project: 'OpenNMS'
  1. OpenNMS
  2. NMS-8093

Privilege Escalation Bug with Grafana Plugin

    XMLWordPrintable

    Details

    • Sprint:
      Horizon - May 17th, Horizon - May 24th, Horizon - December 14th, Horizon - December 20th

      Description

      When using the OpenNMS datasource with Grafana (see https://www.opennms.org/wiki/Grafana), the Grafana user can access the OpenNMS session used by the datasource. In certain cases this may lead to privilege escalation.

      To reproduce:

      1) Configure the OpenNMS datasource in Grafana using 'Proxy' mode
      2) Make both OpenNMS and Grafana accessible via the same hostname
      3) Login to Grafana using the hostname from 2) and access a dashboard that uses the OpenNMS datasource
      4) Access OpenNMS using the hostname from 2)

      In 4), you should have a session opened with the user configured in the Grafana datasource

        Attachments

          Activity

            People

            • Assignee:
              j-white Jesse White
              Reporter:
              tarus Tarus Balog
            • Votes:
              1 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: