CVE-2023-1387 Overview
Grafana, a widely-used open-source platform for monitoring and observability, contains an information disclosure vulnerability that can lead to JWT token leakage. Starting with the 9.1 branch, Grafana introduced the ability to search for a JWT in the URL query parameter auth_token and use it as the authentication token. When the url_login configuration option is enabled (disabled by default), the JWT token may be inadvertently sent to configured data sources.
If an attacker has access to a data source receiving this leaked token, they can capture and reuse the JWT to authenticate to the Grafana instance. This vulnerability enables unauthorized access to sensitive monitoring data and potentially full administrative control depending on the privileges associated with the leaked token.
Critical Impact
JWT authentication tokens can be leaked to data sources, enabling attackers with data source access to impersonate legitimate users and gain unauthorized access to Grafana dashboards and configurations.
Affected Products
- Grafana versions 9.1.0 and later with url_login configuration enabled
- Grafana instances configured to pass JWT tokens via URL query parameters
- Organizations using Grafana with external data sources that may be accessible to unauthorized parties
Discovery Timeline
- April 26, 2023 - CVE-2023-1387 published to NVD
- February 13, 2025 - Last updated in NVD database
Technical Details for CVE-2023-1387
Vulnerability Analysis
This vulnerability is classified as an Information Exposure issue (CWE-200), where sensitive authentication credentials are inadvertently disclosed to unintended parties. The core problem lies in how Grafana handles JWT tokens when the url_login feature is enabled.
When a user authenticates using a JWT passed via the auth_token URL query parameter, Grafana may forward this token to configured data sources during subsequent API calls or data queries. This behavior creates an unintended information disclosure channel where authentication credentials leak beyond their intended scope.
The attack is network-based and requires no privileges or user interaction to exploit, making it particularly concerning for organizations with externally accessible data sources or shared infrastructure.
Root Cause
The root cause of this vulnerability stems from the design decision to support JWT authentication via URL query parameters without properly sanitizing or stripping these tokens from requests forwarded to data sources. When url_login is enabled in Grafana's configuration, the application accepts JWTs from the auth_token query parameter but fails to adequately prevent this sensitive token from being included in outbound requests to configured data sources.
This creates a trust boundary violation where authentication tokens intended solely for Grafana authentication are inadvertently shared with external systems that may not have the same security controls or access restrictions.
Attack Vector
The attack requires the following conditions to be present:
- Grafana instance running version 9.1.0 or later
- The url_login configuration option must be enabled
- Users must authenticate using JWT tokens passed via the auth_token URL query parameter
- The attacker must have access to a data source that receives forwarded requests from Grafana
An attacker positioned to observe traffic to a data source or with compromised access to the data source itself can capture the leaked JWT token. This token can then be reused to authenticate directly to the Grafana instance, potentially gaining full access to dashboards, alerts, and administrative functions depending on the privileges of the original user.
Detection Methods for CVE-2023-1387
Indicators of Compromise
- Unexpected authentication sessions from unusual IP addresses or geographic locations
- Data source logs showing JWT tokens in query parameters or request headers
- Multiple simultaneous sessions using the same JWT token from different source IPs
- Unusual access patterns to dashboards or administrative functions
Detection Strategies
- Review data source access logs for evidence of JWT tokens appearing in request parameters
- Implement network traffic analysis to detect JWT tokens being transmitted to external data sources
- Enable comprehensive audit logging in Grafana to track authentication events and session usage
- Monitor for unauthorized API calls using captured authentication tokens
Monitoring Recommendations
- Enable and review Grafana audit logs regularly for suspicious authentication patterns
- Configure alerting for authentication anomalies such as session reuse from multiple IPs
- Monitor data source query logs for evidence of leaked authentication credentials
- Implement intrusion detection rules to identify JWT token leakage patterns in network traffic
How to Mitigate CVE-2023-1387
Immediate Actions Required
- Disable the url_login configuration option if not explicitly required for your use case
- Review and rotate any JWT tokens that may have been exposed to data sources
- Audit data source access logs to identify potential token compromise
- Implement network segmentation to limit data source accessibility
Patch Information
Grafana has released security updates addressing this vulnerability. Organizations should upgrade to the latest patched versions as specified in the Grafana Security Advisory CVE-2023-1387. Additional details are available in the GitHub Security Advisory GHSA-5585.
NetApp has also released guidance for affected products in their NetApp Security Advisory NTAP-20230609-0003.
Workarounds
- Set url_login = false in the Grafana configuration file to disable URL-based JWT authentication
- Implement alternative authentication mechanisms such as header-based JWT authentication that is not susceptible to this leakage
- Apply network-level controls to prevent data sources from being accessible to untrusted parties
- Consider implementing token binding or short-lived JWT tokens to minimize the window of exploitation if tokens are leaked
# Configuration example
# In grafana.ini or custom.ini, ensure url_login is disabled:
[auth.jwt]
enabled = true
url_login = false
header_name = X-JWT-Assertion
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
