"File Exfiltration vulnerability (CVE-2018-19039)
On the 5th of November at 1700 CEST we were contacted about a potential security issue that could allow any users with Editor or Admin permissions in Grafana to read any file that the Grafana process can read from the filesystem. Note, that in order to exploit this you would need to be logged in to the system as a legitimate user with Editor or Admin permissions.
Grafana releases 4.1 through 5.3.2 are affected by this vulnerability.
Solutions and mitigations
All installations between 4.1.0 and 5.3.2 that have users that should not have access to the filesystem where Grafana is running must be upgraded as soon as possible. If you can not upgrade, you should set all users to viewers and remove all dashboards that contain text panels.
All instances of Grafana Cloud 1 have already been updated to 5.3.3. Grafana Enterprise customers have been proactively noticed.
We would like to thank Daniele Costa, NCC Group for reporting this issue.
If you run a Grafana between version 4.1.0 and 5.3.2 with users that should not have access to the filesystem where Grafana is running, please upgrade to Grafana 5.3.3 or 4.6.5 as soon as possible."
In the mean time, 5.3.4 (2018-11-13)
"Alerting: Delete alerts when parent folder was deleted #13322 1
MySQL: Fix $__timeFilter() should respect local time zone #13769 1
Dashboard: Fix datasource selection in panel by enter key #13932 5
Graph: Fix table legend height when positioned below graph and using Internet Explorer 11 #13903 3
Dataproxy: Drop origin and referer http headers #13328 2 #13949 2, thx @roidelapluie"
was also released.
First fixed version in Gentoo repository is =www-apps/grafana-bin-5.3.4.
Repository is clean.
Package was never stable, all done.