Summary by whitebear_0one
An unauthenticated metrics endpoint if it is publicly accessible and exposes sensitive Prometheus-style metrics related to internal Grafana / InfluxDB systems used by Organization.
The disclosed data can includes:
- User, admin, and organization enumeration
- Authentication activity statistics
- Grafana build details (branch, Go version, revision, edition, commit, version, etc.)
- Plugin usage information
- Database connection details
- System architecture, goroutine/thread counts, and resource metrics
This level of disclosure significantly increases the attack surface, enabling targeted attacks against infrastructure and internal users.