Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2019-19499

Опубликовано: 27 авг. 2020
Источник: redhat
CVSS3: 6.5
EPSS Средний

Описание

Grafana <= 6.4.3 has an Arbitrary File Read vulnerability, which could be exploited by an authenticated attacker that has privileges to modify the data source configurations.

Grafana has an Arbitrary File Read vulnerability, which could be exploited by an authenticated attacker that has privileges to modify the data source configurations.

Отчет

A vulnerable version of Grafana is shipped in OpenShift 3.11 and OpenShift ServiceMesh, however Prometheus is used as a data source and modification to MySQL requires full control of the grafana component. Access is restricted to authenticated users only by OpenShift OAuth. As OpenShift and OpenShift ServiceMesh still packages the vulnerable code, the components are affected but with impact Low. Red Hat Ceph Storage 3 and 4 ships an older version of the affected code, which is still possible to exploit. However, Ceph 3 and 4 do not use mysql as a datasource, therefore, the impact is low. Red Hat Gluster Storage 3 ships vulnerable version of grafana, however Graphite is the only supported data source and hence this issue has been rated as having a security impact of Low.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
OpenShift Service Mesh 1servicemesh-grafanaFix deferred
Red Hat Ceph Storage 2grafanaOut of support scope
Red Hat Ceph Storage 3grafanaAffected
Red Hat Ceph Storage 3grafana-containerAffected
Red Hat Ceph Storage 4rhceph/rhceph-4-dashboard-rhel8Affected
Red Hat OpenShift Container Platform 3.11openshift3/grafanaFix deferred
Red Hat OpenShift Container Platform 4openshift4/ose-grafanaNot affected
Red Hat Storage 3grafanaAffected
Red Hat Enterprise Linux 8grafanaFixedRHSA-2020:468204.11.2020

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-88->CWE-200
https://bugzilla.redhat.com/show_bug.cgi?id=1873615grafana: arbitrary file read via MySQL data source

EPSS

Процентиль: 97%
0.37437
Средний

6.5 Medium

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2019-19499

CVSS3: 6.5
ubuntu
почти 5 лет назад

Grafana <= 6.4.3 has an Arbitrary File Read vulnerability, which could be exploited by an authenticated attacker that has privileges to modify the data source configurations.

nvd логотип

CVE-2019-19499

CVSS3: 6.5
nvd
почти 5 лет назад

Grafana <= 6.4.3 has an Arbitrary File Read vulnerability, which could be exploited by an authenticated attacker that has privileges to modify the data source configurations.

debian логотип

CVE-2019-19499

CVSS3: 6.5
debian
почти 5 лет назад

Grafana <= 6.4.3 has an Arbitrary File Read vulnerability, which could ...

github логотип

GHSA-4pwp-cx67-5cpx

CVSS3: 6.5
github
больше 1 года назад

Grafana Arbitrary File Read

oracle-oval логотип

ELSA-2020-4682

oracle-oval
больше 4 лет назад

ELSA-2020-4682: grafana security, bug fix, and enhancement update (MODERATE)

EPSS

Процентиль: 97%
0.37437
Средний

6.5 Medium

CVSS3