Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2019-15043

Опубликовано: 29 авг. 2019
Источник: redhat
CVSS3: 4.3
EPSS Критический

Описание

In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run a denial of service attack against the server running Grafana.

Отчет

OpenShift Container Platform secures all usages of Grafana behind the oauth-proxy, preventing access to Grafana without authentication. Red Hat Product Security have rated this vulnerability as Low for OpenShift Container Platform. This issue affects the version of Grafana as shipped with Red Hat Gluster Storage 3 and Red Hat Ceph Storage 3, as it contains the vulnerable snapshot functionality.

Меры по смягчению последствий

Block access to the snapshot feature by blocking the /api/snapshots URL via a web application firewall, load balancer, reverse proxy etc. You can also set 'external_enabled' to false to disable external snapshot publish endpoint (default true). Note, it will completely disable this feature.

cat /etc/grafana/grafana.ini

[...] [snapshots]

snapshot sharing options

external_enabled = false external_snapshot_url = https://snapshots-origin.raintank.io external_snapshot_name = Publish to snapshot.raintank.io [...]

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Ceph Storage 2grafanaOut of support scope
Red Hat Ceph Storage 3grafanaAffected
Red Hat OpenShift Container Platform 3.11openshift3/grafanaAffected
Red Hat OpenShift Container Platform 4openshift4/ose-grafanaAffected
Red Hat Storage 3grafanaAffected
Red Hat Enterprise Linux 8grafanaFixedRHSA-2020:165928.04.2020

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-284
Дефект:
CWE-200
https://bugzilla.redhat.com/show_bug.cgi?id=1746945grafana: incorrect access control in snapshot HTTP API leads to denial of service

EPSS

Процентиль: 100%
0.9079
Критический

4.3 Medium

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2019-15043

CVSS3: 7.5
ubuntu
почти 6 лет назад

In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run a denial of service attack against the server running Grafana.

nvd логотип

CVE-2019-15043

CVSS3: 7.5
nvd
почти 6 лет назад

In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run a denial of service attack against the server running Grafana.

debian логотип

CVE-2019-15043

CVSS3: 7.5
debian
почти 6 лет назад

In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow u ...

github логотип

GHSA-c6x5-653c-4grh

CVSS3: 7.5
github
около 3 лет назад

In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run a denial of service attack against the server running Grafana.

oracle-oval логотип

ELSA-2020-1659

oracle-oval
около 5 лет назад

ELSA-2020-1659: grafana security, bug fix, and enhancement update (MODERATE)

EPSS

Процентиль: 100%
0.9079
Критический

4.3 Medium

CVSS3

Уязвимость CVE-2019-15043