From cf1c2b5944fd701c70c4287219208c9fa3bfd259 Mon Sep 17 00:00:00 2001
From: Dikshant Singh <95041015+elit3pwner@users.noreply.github.com>
Date: Sun, 28 Dec 2025 11:55:41 -0500
Subject: [PATCH] Add security vulnerability disclosure for Grafana metrics

Documented a security vulnerability regarding unauthenticated access to the Grafana metrics endpoint, detailing potential risks and affected assets.

Signed-off-by: Dikshant Singh <95041015+elit3pwner@users.noreply.github.com>
---
 report.md | 46 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 46 insertions(+)
 create mode 100644 report.md

diff --git a/report.md b/report.md
new file mode 100644
index 00000000..ef422faf
--- /dev/null
+++ b/report.md
@@ -0,0 +1,46 @@
+# Server-Side Security Vulnerability Disclosure  
+## Unauthenticated Access to Grafana Metrics Endpoint
+
+---
+
+## Summary
+
+The Grafana metrics endpoint at `https://grafana.aixblock.io/metrics` is publicly accessible without authentication.  
+An unauthenticated user can retrieve detailed internal metrics related to the Grafana instance, application behavior, enabled features, and runtime characteristics.
+
+This exposure may aid attackers in reconnaissance, environment fingerprinting, and targeted exploitation.
+
+---
+
+## Affected Asset
+
+- **URL:** https://grafana.aixblock.io/metrics  
+- **Service:** Grafana  
+- **Endpoint Type:** Prometheus metrics endpoint  
+
+---
+
+## Vulnerability Details
+
+The `/metrics` endpoint is exposed publicly and does not enforce any form of authentication, authorization, or network-level restriction.
+
+Accessing the endpoint returns a comprehensive set of Prometheus-formatted metrics, including but not limited to:
+
+- Grafana version and commit hash
+- Enabled and disabled feature toggles
+- Encryption operation statistics
+- HTTP handler paths and response characteristics
+- Process memory usage and start time
+- Internal service behavior and health indicators
+
+This information is typically intended for internal monitoring systems (e.g., Prometheus) and should not be accessible to unauthenticated external users.
+
+---
+
+## Proof of Exposure
+
+A direct unauthenticated `GET` request to the endpoint returns sensitive operational metrics.  
+Sample (truncated) response:
+
+<img width="1663" height="925" alt="image" src="https://github.com/user-attachments/assets/3a8fde86-45d8-4a49-b020-036b951f12ff" />
+<img width="1919" height="879" alt="image" src="https://github.com/user-attachments/assets/34d46dc2-7b7a-40a6-8e60-d4340c572bf4" />