Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 671098 (CVE-2018-19039) - <www-apps/grafana-bin-5.3.4: file exfiltration
Summary: <www-apps/grafana-bin-5.3.4: file exfiltration
Status: RESOLVED FIXED
Alias: CVE-2018-19039
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://community.grafana.com/t/grafa...
Whiteboard: ~3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2018-11-13 20:39 UTC by Manuel Rüger (RETIRED)
Modified: 2018-11-19 01:42 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Manuel Rüger (RETIRED) gentoo-dev 2018-11-13 20:39:03 UTC
"File Exfiltration vulnerability (CVE-2018-19039)

On the 5th of November at 1700 CEST we were contacted about a potential security issue that could allow any users with Editor or Admin permissions in Grafana to read any file that the Grafana process can read from the filesystem. Note, that in order to exploit this you would need to be logged in to the system as a legitimate user with Editor or Admin permissions.
Affected versions

Grafana releases 4.1 through 5.3.2 are affected by this vulnerability.
Solutions and mitigations

All installations between 4.1.0 and 5.3.2 that have users that should not have access to the filesystem where Grafana is running must be upgraded as soon as possible. If you can not upgrade, you should set all users to viewers and remove all dashboards that contain text panels.

All instances of Grafana Cloud 1 have already been updated to 5.3.3. Grafana Enterprise customers have been proactively noticed.

We would like to thank Daniele Costa, NCC Group for reporting this issue.
Conclusion

If you run a Grafana between version 4.1.0 and 5.3.2 with users that should not have access to the filesystem where Grafana is running, please upgrade to Grafana 5.3.3 or 4.6.5 as soon as possible."
Comment 1 Manuel Rüger (RETIRED) gentoo-dev 2018-11-13 20:39:48 UTC
In the mean time, 5.3.4 (2018-11-13)
    "Alerting: Delete alerts when parent folder was deleted #13322 1

    MySQL: Fix $__timeFilter() should respect local time zone #13769 1

    Dashboard: Fix datasource selection in panel by enter key #13932 5

    Graph: Fix table legend height when positioned below graph and using Internet Explorer 11 #13903 3

    Dataproxy: Drop origin and referer http headers #13328 2 #13949 2, thx @roidelapluie"

 was also released.
Comment 2 Thomas Deutschmann gentoo-dev Security 2018-11-19 01:42:17 UTC
First fixed version in Gentoo repository is =www-apps/grafana-bin-5.3.4.

Repository is clean.

Package was never stable, all done.