{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2018-11-23T00:00:00", "descriptions": [{"lang": "en", "value": "Grafana before 4.6.5 and 5.x before 5.3.3 allows remote authenticated users to read arbitrary files by leveraging Editor or Admin permissions."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-10-04T17:06:09", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "105994", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/105994"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://community.grafana.com/t/grafana-5-3-3-and-4-6-5-security-update/11961"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.percona.com/blog/2018/11/20/how-cve-2018-19039-affects-percona-monitoring-and-management/"}, {"name": "RHSA-2019:0747", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2019:0747"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20190416-0004/"}, {"name": "RHSA-2019:0911", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2019:0911"}, {"name": "openSUSE-SU-2020:1611", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00009.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2018-19039", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Grafana before 4.6.5 and 5.x before 5.3.3 allows remote authenticated users to read arbitrary files by leveraging Editor or Admin permissions."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "105994", "refsource": "BID", "url": "http://www.securityfocus.com/bid/105994"}, {"name": "https://community.grafana.com/t/grafana-5-3-3-and-4-6-5-security-update/11961", "refsource": "CONFIRM", "url": "https://community.grafana.com/t/grafana-5-3-3-and-4-6-5-security-update/11961"}, {"name": "https://www.percona.com/blog/2018/11/20/how-cve-2018-19039-affects-percona-monitoring-and-management/", "refsource": "CONFIRM", "url": "https://www.percona.com/blog/2018/11/20/how-cve-2018-19039-affects-percona-monitoring-and-management/"}, {"name": "RHSA-2019:0747", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2019:0747"}, {"name": "https://security.netapp.com/advisory/ntap-20190416-0004/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20190416-0004/"}, {"name": "RHSA-2019:0911", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2019:0911"}, {"name": "openSUSE-SU-2020:1611", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00009.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T11:23:08.805Z"}, "title": "CVE Program Container", "references": [{"name": "105994", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/105994"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://community.grafana.com/t/grafana-5-3-3-and-4-6-5-security-update/11961"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.percona.com/blog/2018/11/20/how-cve-2018-19039-affects-percona-monitoring-and-management/"}, {"name": "RHSA-2019:0747", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2019:0747"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://security.netapp.com/advisory/ntap-20190416-0004/"}, {"name": "RHSA-2019:0911", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2019:0911"}, {"name": "openSUSE-SU-2020:1611", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00009.html"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2018-19039", "datePublished": "2018-12-13T19:00:00", "dateReserved": "2018-11-06T00:00:00", "dateUpdated": "2024-08-05T11:23:08.805Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*", "matchCriteriaId": "5FE58A99-17A0-48EC-AFE1-0F42CC5C1622", "versionEndExcluding": "4.6.5", "vulnerable": true}, {"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*", "matchCriteriaId": "24149E51-50CF-4054-BA52-DDF80B3630FF", "versionEndExcluding": "5.3.3", "versionStartIncluding": "5.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:ceph_storage:3.0:*:*:*:*:*:*:*", "matchCriteriaId": "516F4E8E-ED2F-4282-9DAB-D8B378F61258", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "33C068A4-3780-4EAB-A937-6082DF847564", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "51EF4996-72F4-4FA4-814F-F5991E7A8318", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "825ECE2D-E232-46E0-A047-074B34DB1E97", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:netapp:active_iq_performance_analytics_services:-:*:*:*:*:*:*:*", "matchCriteriaId": "83077160-BB98-408B-81F0-8EF9E566BF28", "vulnerable": true}, {"criteria": "cpe:2.3:a:netapp:storagegrid_webscale_nas_bridge:-:*:*:*:*:*:*:*", "matchCriteriaId": "9EB95AE0-8815-4F2B-9D2F-B9272D7BDF91", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Grafana before 4.6.5 and 5.x before 5.3.3 allows remote authenticated users to read arbitrary files by leveraging Editor or Admin permissions."}, {"lang": "es", "value": "Grafana en versiones anteriores a la 4.6.5 y versiones 5.x anteriores a la 5.3.3 permite que usuarios autenticados remotos lean archivos arbitrarios aprovechando los permisos Editor o Admin."}], "id": "CVE-2018-19039", "lastModified": "2024-11-21T03:57:12.097", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-12-13T19:29:00.403", "references": [{"source": "cve@mitre.org", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00009.html"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/105994"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2019:0747"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2019:0911"}, {"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "https://community.grafana.com/t/grafana-5-3-3-and-4-6-5-security-update/11961"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20190416-0004/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.percona.com/blog/2018/11/20/how-cve-2018-19039-affects-percona-monitoring-and-management/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00009.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/105994"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2019:0747"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2019:0911"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "https://community.grafana.com/t/grafana-5-3-3-and-4-6-5-security-update/11961"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20190416-0004/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.percona.com/blog/2018/11/20/how-cve-2018-19039-affects-percona-monitoring-and-management/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2019:0747", "cpe": "cpe:/a:redhat:ceph_storage:2::el7", "package": "ceph-2:10.2.10-49.el7cp", "product_name": "Red Hat Ceph Storage 2.5 for Red Hat Enterprise Linux 7", "release_date": "2019-04-11T00:00:00Z"}, {"advisory": "RHSA-2019:0747", "cpe": "cpe:/a:redhat:ceph_storage:2::el7", "package": "grafana-0:4.3.2-4.el7cp", "product_name": "Red Hat Ceph Storage 2.5 for Red Hat Enterprise Linux 7", "release_date": "2019-04-11T00:00:00Z"}, {"advisory": "RHSA-2019:0911", "cpe": "cpe:/a:redhat:ceph_storage:3::el7", "package": "ceph-2:12.2.8-128.el7cp", "product_name": "Red Hat Ceph Storage 3.2", "release_date": "2019-04-30T00:00:00Z"}, {"advisory": "RHSA-2019:0911", "cpe": "cpe:/a:redhat:ceph_storage:3::el7", "package": "ceph-ansible-0:3.2.15-1.el7cp", "product_name": "Red Hat Ceph Storage 3.2", "release_date": "2019-04-30T00:00:00Z"}, {"advisory": "RHSA-2019:0911", "cpe": "cpe:/a:redhat:ceph_storage:3::el7", "package": "grafana-0:5.2.4-2.el7cp", "product_name": "Red Hat Ceph Storage 3.2", "release_date": "2019-04-30T00:00:00Z"}], "bugzilla": {"description": "grafana: File exfiltration", "id": "1649697", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1649697"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "verified"}, "cwe": "CWE-200", "details": ["Grafana before 4.6.5 and 5.x before 5.3.3 allows remote authenticated users to read arbitrary files by leveraging Editor or Admin permissions.", "A security issue was found that could allow any users with Editor or Admin permissions in Grafana to read any file that the Grafana process can read from the filesystem. However, in order to exploit this issue you would need to be logged in to the system as a legitimate user with Editor or Admin permissions."], "name": "CVE-2018-19039", "package_state": [{"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Affected", "package_name": "openshift3/grafana", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-grafana", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openstack-optools:8", "fix_state": "Will not fix", "package_name": "grafana", "product_name": "Red Hat OpenStack Platform 8 (Liberty) Operational Tools"}, {"cpe": "cpe:/a:redhat:openstack-optools:9", "fix_state": "Will not fix", "package_name": "grafana", "product_name": "Red Hat OpenStack Platform 9 (Mitaka) Operational Tools"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Affected", "package_name": "grafana", "product_name": "Red Hat Storage 3"}], "public_date": "2018-11-13T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2018-19039\nhttps://nvd.nist.gov/vuln/detail/CVE-2018-19039\nhttps://community.grafana.com/t/grafana-5-3-3-and-4-6-5-security-update/11961"], "threat_severity": "Moderate"}