Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2020-12459

Опубликовано: 23 апр. 2020
Источник: redhat
CVSS3: 6.2
EPSS Низкий

Описание

In certain Red Hat packages for Grafana 6.x through 6.3.6, the configuration files /etc/grafana/grafana.ini and /etc/grafana/ldap.toml (which contain a secret_key and a bind_password) are world readable.

An information-disclosure flaw was found in Grafana distributed by Red Hat. This flaw allows a local attacker access to potentially sensitive information such as secret_key and a bind_password from the world-readable files /etc/grafana/grafana.ini and /etc/grafana/ldap.toml.

Отчет

Red Hat Ceph Storage 3 and 4 are not affected by this vulnerability, as the shared grafana container uses grafana v5.2.4 which sets correct permissions for configuration files. This issue did not affect the version of grafana as shipped with Red Hat Gluster Storage 3, as it ships grafana v4.6.4 which sets correct permissions for configuration files. In both OpenShift Container Platform (OCP) and OpenShift ServiceMesh (OSSM), the grafana containers set their database files to world readable. However, as it's run in a container image with SELinux MCS labels this prevents other processes on the host from reading it. Therefore, for both (OCP and OSSM) the impact is low.

Меры по смягчению последствий

Manually change the files permission to remove readable bits for others:

chmod 640 /etc/grafana/grafana.ini /etc/grafana/ldap.toml

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Ceph Storage 2grafanaOut of support scope
Red Hat Ceph Storage 3grafanaNot affected
Red Hat Ceph Storage 3grafana-containerNot affected
Red Hat Ceph Storage 4rhceph/rhceph-4-dashboard-rhel8Not affected
Red Hat OpenShift Container Platform 3.11openshift3/grafanaFix deferred
Red Hat OpenShift Container Platform 4openshift4/ose-grafanaFix deferred
Red Hat Storage 3grafanaNot affected
Openshift Service Mesh 1.0jaegerFixedRHSA-2020:236202.06.2020
Openshift Service Mesh 1.0kialiFixedRHSA-2020:236202.06.2020
OpenShift Service Mesh 1.0servicemesh-grafanaFixedRHSA-2020:236202.06.2020

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-732
https://bugzilla.redhat.com/show_bug.cgi?id=1829724grafana: information disclosure through world-readable grafana configuration files

EPSS

Процентиль: 16%
0.00051
Низкий

6.2 Medium

CVSS3

Связанные уязвимости

nvd логотип

CVE-2020-12459

CVSS3: 5.5
nvd
около 5 лет назад

In certain Red Hat packages for Grafana 6.x through 6.3.6, the configuration files /etc/grafana/grafana.ini and /etc/grafana/ldap.toml (which contain a secret_key and a bind_password) are world readable.

github логотип

GHSA-m25m-5778-fm22

CVSS3: 5.5
github
около 3 лет назад

Grafana world readable configuration files

oracle-oval логотип

ELSA-2020-4682

oracle-oval
больше 4 лет назад

ELSA-2020-4682: grafana security, bug fix, and enhancement update (MODERATE)

EPSS

Процентиль: 16%
0.00051
Низкий

6.2 Medium

CVSS3