A security issue was found that could allow any users with Editor or Admin permissions in Grafana to read any file that the Grafana process can read from the filesystem. However, in order to exploit this issue you would need to be logged in to the system as a legitimate user with Editor or Admin permissions.
Find out more about CVE-2018-19039 from the MITRE CVE dictionary dictionary and NIST NVD.
NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.
| CVSS3 Base Score | 5.7 |
|---|---|
| CVSS3 Base Metrics | CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
| Attack Vector | Adjacent Network |
| Attack Complexity | Low |
| Privileges Required | Low |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity Impact | None |
| Availability Impact | None |
| Platform | Package | State |
|---|---|---|
| Red Hat OpenStack Platform Operational Tools 9 | grafana | Affected |
| Red Hat OpenShift Container Platform 3.11 | grafana | Affected |
| Red Hat Gluster Storage 3 | grafana | Affected |
| Red Hat Enterprise Linux OpenStack Platform 8.0 Operational Tools for RHEL 7 | grafana | Affected |
| Red Hat Ceph Storage 3 | grafana | Affected |
| Red Hat Ceph Storage 2 | grafana | Affected |
Vulmon