[ASA-201811-15] grafana: arbitrary filesystem access
Jelle van der Waa
jelle at archlinux.org
Mon Nov 19 13:09:03 UTC 2018
Arch Linux Security Advisory ASA-201811-15
==========================================
Severity: High
Date : 2018-11-15
CVE-ID : CVE-2018-19039
Package : grafana
Type : arbitrary filesystem access
Remote : Yes
Link : https://security.archlinux.org/AVG-811
Summary
=======
The package grafana before version 5.3.4-1 is vulnerable to arbitrary
filesystem access.
Resolution
==========
Upgrade to 5.3.4-1.
# pacman -Syu "grafana>=5.3.4-1"
The problem has been fixed upstream in version 5.3.4.
Workaround
==========
None.
Description
===========
Al security issue has been found in grafana before 5.3.3, that could
allow any users with Editor or Admin permissions in Grafana to read any
file that the Grafana process can read from the filesystem. Note, that
in order to exploit this you would need to be logged in to the system
as a legitimate user with Editor or Admin permissions.
Impact
======
A remote, authenticated attacker is able to read any file that is
accessible to the Grafana process.
References
==========
https://grafana.com/blog/2018/11/13/grafana-5.3.3-and-4.6.5-released-with-important-security-fix/
https://security.archlinux.org/CVE-2018-19039
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20181119/1d1e5abd/attachment.asc>
More information about the arch-security
mailing list