PT-2020-13123 · Grafana+4 · Grafana+4

Hardik Vyas

Published

2020-04-29

Updated

2024-06-28

CVE-2020-12458

CVSS v4.0

7.1

High

Vector

AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Grafana versions prior to 7.2.1 Grafana versions through 6.7.3

Description An information-disclosure flaw was found in Grafana. The database directory /var/lib/grafana and database file /var/lib/grafana/grafana.db are world readable. This can result in exposure of sensitive information, such as cleartext or encrypted datasource passwords.

Recommendations For versions through 6.7.3, consider restricting access to the database directory /var/lib/grafana and database file /var/lib/grafana/grafana.db to prevent exposure of sensitive information. For versions prior to 7.2.1, update to version 7.2.1 or later to resolve the issue. As a temporary workaround, consider changing the permissions of the database directory and file to prevent world readability until a patch is applied.

Exploit

Fix

Cleartext Storage of Sensitive Information

Incorrect Permission

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-312CWE-732

Related Identifiers

ALSA-2020:4682

ALT-PU-2020-1966

ALT-PU-2020-2045

ALT-PU-2020-2204

BIT-GRAFANA-2020-12458

CESA-2020_4682

CVE-2020-12458

ECHO-D586-F692-3A53

GHSA-3JQ7-8PH8-63XM

GO-2024-2513

RHSA-2020:4682

RHSA-2020_4682

Affected Products

Alt Linux

Almalinux

Centos

Grafana

Red Hat

PT-2020-13123 · Grafana+4 · Grafana+4

CVE-2020-12458

Weakness Enumeration

Related Identifiers

Affected Products

References · 30