Description
When using an IPv6 allow-list for the Auth Proxy feature, it defaults to /32 addresses. Addresses specifying a mask explicitly are not affected; to mitigate easily, add the desired mask (usually /128) to the addresses. Only auth proxy is affected; Okta, SAML, LDAP, etc are unaffected here.
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None
Affected products
- Grafana / Grafana OSS9.4.0 – 11.6.14
- Grafana / Grafana OSS11.6.14 – 11.6.14+security-04
- Grafana / Grafana OSS12.0.0 – 12.2.8
- Grafana / Grafana OSS12.2.8 – 12.2.8+security-04
- Grafana / Grafana OSS12.3.0 – 12.3.6
- Grafana / Grafana OSS12.3.6 – 12.3.6+security-04
- Grafana / Grafana OSS12.4.0 – 12.4.3
- Grafana / Grafana OSS12.4.3 – 12.4.3+security-02
- Grafana / Grafana OSS13.0.0 – 13.0.1
- Grafana / Grafana OSS13.0.1 – 13.0.1+security-01