PT-2019-14309 · Mysql Server+1 · Mysql Server+1

Published

2019-09-23

Updated

2022-04-22

CVE-2019-15635

CVSS v3.1

4.9

Medium

Vector

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Grafana version 5.4.0

Description An issue in Grafana allows an admin user to reveal passwords for data sources, such as MySQL, by pressing the "Save and test" button within a data source's settings menu. The password is sent to the server and can be revealed using tools like Burp Proxy. Additionally, a browser prompt to save credentials is generated, and the password can be revealed by checking the "Show password" box.

Recommendations For Grafana version 5.4.0, consider restricting access to the data source settings menu to minimize the risk of password revelation until a fix is available. As a temporary workaround, avoid using the "Save and test" button within a data source's settings menu to prevent password exposure.

Fix

Cleartext Transmission of Sensitive Information

Insufficiently Protected Credentials

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-319CWE-522

Related Identifiers

CVE-2019-15635

Affected Products

Grafana

Mysql Server

PT-2019-14309 · Mysql Server+1 · Mysql Server+1

CVE-2019-15635

Weakness Enumeration

Related Identifiers

Affected Products

References · 8