Incoming details
### EMBARGOED EMBARGOED EMBARGOED ### From email: Hello Security Team, The following information is released under embargo, and is not to be made public until Thursday, August 29th, 1300 CEST. We have discovered and fixed a security vulnerability in Grafana and are in the process of releasing the fix. We have reserved CVE-2019-15043 for this. We made a private disclosure to our enterprise customers last week, and are now notifying key re-distributors and large-volume hosters of Grafana to allow them to plan their own updates. The nature and history of the vulnerability is as follows: We received a security report to security@grafana.com on August 12th, 2019. The security report was about a vulnerability in Grafana regarding the dashboard snapshot HTTP API and later identified as affecting Grafana versions from 2.0.0 to 6.3.3. We have reserved CVE-2019-15043 for this vulnerability. This vulnerability allows any unauthenticated user/client to access the Grafana snapshot HTTP API and create a denial of service attack by posting large amounts of dashboard snapshot payloads to the /api/snapshots HTTP API endpoint. In addition, this vulnerability also allows information disclosure vulnerability through the /api/snapshot/shared-options HTTP API endpoint. This is only applicable if you have configured your Grafana instance to send snapshots to a specific server using the 'external_snapshot_url' configuration option. If for some reason you cannot upgrade, the impact can be mitigated by blocking access to the snapshot feature by blocking the /api/snapshots URL via a web application firewall, load balancer, reverse proxy etc. Type: Incorrect Access Control Discovered: 12/08/2019 Discovered By: External Resource Patch Availability: 22/08/2019 Affected Versions: All versions from 2.0.0 to 6.3.3 If you require advanced access to binaries or source code, or have any other questions, please contact us at support@grafana.com Team Grafana
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fc04e0f73a70df2146160612a5acf4b40dd3d204 commit fc04e0f73a70df2146160612a5acf4b40dd3d204 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2019-08-29 15:51:15 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2019-08-29 15:51:28 +0000 www-apps/grafana-bin: bump to v5.4.5 Bug: https://bugs.gentoo.org/692962 Package-Manager: Portage-2.3.73, Repoman-2.3.17 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> www-apps/grafana-bin/Manifest | 1 + www-apps/grafana-bin/grafana-bin-5.4.5.ebuild | 70 +++++++++++++++++++++++++++ 2 files changed, 71 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=de15addbeeee92046b00fb183fe33c8a28fe0e4f commit de15addbeeee92046b00fb183fe33c8a28fe0e4f Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2019-08-29 15:49:09 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2019-08-29 15:51:27 +0000 www-apps/grafana-bin: bump to v6.3.4 Bug: https://bugs.gentoo.org/692962 Package-Manager: Portage-2.3.73, Repoman-2.3.17 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> www-apps/grafana-bin/Manifest | 1 + www-apps/grafana-bin/grafana-bin-6.3.4.ebuild | 71 +++++++++++++++++++++++++++ 2 files changed, 72 insertions(+)
@ maintainer(s): Please call for stabilization. Maybe we can move to v6.x?
=www-apps/grafana-bin-6.3.5 has just been stabilized on bug 691038, so I think this can be closed. ps.: feel free to CC me from the beginning next time! ;)