CVE-2019-15635

Name of the Vulnerable Software and Affected Versions Grafana version 5.4.0

Description An issue in Grafana allows an admin user to reveal passwords for data sources, such as MySQL, by pressing the "Save and test" button within a data source's settings menu. The password is sent to the server and can be revealed using tools like Burp Proxy. Additionally, a browser prompt to save credentials is generated, and the password can be revealed by checking the "Show password" box.

Recommendations For Grafana version 5.4.0, consider restricting access to the data source settings menu to minimize the risk of password revelation until a fix is available. As a temporary workaround, avoid using the "Save and test" button within a data source's settings menu to prevent password exposure.