While analyzing the logic behind the “remember” cookie in Grafana 5.2.2, I discovered a bug in the authentication mechanism. It affected users authenticating to Grafana with an external provider (such as Azure AD). By generating a special “remember” cookie, an attacker could sign in as such a user, knowing only her/his username. The bug’s CVE id is CVE-2018-15727.
After I reported the problem to the Grafana team, they fixed the issue on the next day and started rolling out a new release. So if you are vulnerable, don’t hesitate and go update your Grafana.