Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 671098 (CVE-2018-19039)

Summary: <www-apps/grafana-bin-5.3.4: file exfiltration
Product: Gentoo Security Reporter: Manuel Rüger (RETIRED) <mrueg>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: erkiferenc, patrick, proxy-maint
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://community.grafana.com/t/grafana-5-3-3-and-4-6-5-security-update/11961
Whiteboard: ~3 [noglsa]
Package list:
Runtime testing required: ---

Description Manuel Rüger (RETIRED) gentoo-dev 2018-11-13 20:39:03 UTC 
"File Exfiltration vulnerability (CVE-2018-19039)

On the 5th of November at 1700 CEST we were contacted about a potential security issue that could allow any users with Editor or Admin permissions in Grafana to read any file that the Grafana process can read from the filesystem. Note, that in order to exploit this you would need to be logged in to the system as a legitimate user with Editor or Admin permissions.
Affected versions

Grafana releases 4.1 through 5.3.2 are affected by this vulnerability.
Solutions and mitigations

All installations between 4.1.0 and 5.3.2 that have users that should not have access to the filesystem where Grafana is running must be upgraded as soon as possible. If you can not upgrade, you should set all users to viewers and remove all dashboards that contain text panels.

All instances of Grafana Cloud 1 have already been updated to 5.3.3. Grafana Enterprise customers have been proactively noticed.

We would like to thank Daniele Costa, NCC Group for reporting this issue.
Conclusion

If you run a Grafana between version 4.1.0 and 5.3.2 with users that should not have access to the filesystem where Grafana is running, please upgrade to Grafana 5.3.3 or 4.6.5 as soon as possible."
Comment 1 Manuel Rüger (RETIRED) gentoo-dev 2018-11-13 20:39:48 UTC 
In the mean time, 5.3.4 (2018-11-13)
    "Alerting: Delete alerts when parent folder was deleted #13322 1

    MySQL: Fix $__timeFilter() should respect local time zone #13769 1

    Dashboard: Fix datasource selection in panel by enter key #13932 5

    Graph: Fix table legend height when positioned below graph and using Internet Explorer 11 #13903 3

    Dataproxy: Drop origin and referer http headers #13328 2 #13949 2, thx @roidelapluie"

 was also released.
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2018-11-19 01:42:17 UTC 
First fixed version in Gentoo repository is =www-apps/grafana-bin-5.3.4.

Repository is clean.

Package was never stable, all done.