{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run a denial of service attack against the server running Grafana."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-10-04T17:06:10.000Z", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://community.grafana.com/t/release-notes-v6-3-x/19202"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/grafana/grafana/releases"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://community.grafana.com/t/grafana-5-4-5-and-6-3-4-security-update/20569"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://grafana.com/blog/2019/08/29/grafana-5.4.5-and-6.3.4-released-with-important-security-fix/"}, {"name": "FEDORA-2019-0bb6b876da", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RF5ARGYX3WYB7H2FDR7VAWTEQ27UX3FU/"}, {"name": "FEDORA-2019-77d612eab4", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UO4NBL7PKW4OSFRVZENGC42EWEJV2YAH/"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20191004-0004/"}, {"name": "openSUSE-SU-2020:0892", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00060.html"}, {"name": "openSUSE-SU-2020:1105", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00083.html"}, {"name": "openSUSE-SU-2020:1611", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00009.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-15043", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run a denial of service attack against the server running Grafana."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://community.grafana.com/t/release-notes-v6-3-x/19202", "refsource": "MISC", "url": "https://community.grafana.com/t/release-notes-v6-3-x/19202"}, {"name": "https://github.com/grafana/grafana/releases", "refsource": "MISC", "url": "https://github.com/grafana/grafana/releases"}, {"name": "https://community.grafana.com/t/grafana-5-4-5-and-6-3-4-security-update/20569", "refsource": "CONFIRM", "url": "https://community.grafana.com/t/grafana-5-4-5-and-6-3-4-security-update/20569"}, {"name": "https://grafana.com/blog/2019/08/29/grafana-5.4.5-and-6.3.4-released-with-important-security-fix/", "refsource": "CONFIRM", "url": "https://grafana.com/blog/2019/08/29/grafana-5.4.5-and-6.3.4-released-with-important-security-fix/"}, {"name": "FEDORA-2019-0bb6b876da", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RF5ARGYX3WYB7H2FDR7VAWTEQ27UX3FU/"}, {"name": "FEDORA-2019-77d612eab4", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UO4NBL7PKW4OSFRVZENGC42EWEJV2YAH/"}, {"name": "https://security.netapp.com/advisory/ntap-20191004-0004/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20191004-0004/"}, {"name": "openSUSE-SU-2020:0892", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00060.html"}, {"name": "openSUSE-SU-2020:1105", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00083.html"}, {"name": "openSUSE-SU-2020:1611", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00009.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T00:34:53.156Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://community.grafana.com/t/release-notes-v6-3-x/19202"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/grafana/grafana/releases"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://community.grafana.com/t/grafana-5-4-5-and-6-3-4-security-update/20569"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://grafana.com/blog/2019/08/29/grafana-5.4.5-and-6.3.4-released-with-important-security-fix/"}, {"name": "FEDORA-2019-0bb6b876da", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RF5ARGYX3WYB7H2FDR7VAWTEQ27UX3FU/"}, {"name": "FEDORA-2019-77d612eab4", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UO4NBL7PKW4OSFRVZENGC42EWEJV2YAH/"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://security.netapp.com/advisory/ntap-20191004-0004/"}, {"name": "openSUSE-SU-2020:0892", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00060.html"}, {"name": "openSUSE-SU-2020:1105", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00083.html"}, {"name": "openSUSE-SU-2020:1611", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00009.html"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-15043", "datePublished": "2019-09-03T11:47:35.000Z", "dateReserved": "2019-08-14T00:00:00.000Z", "dateUpdated": "2024-08-05T00:34:53.156Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*", "matchCriteriaId": "35B2F43D-9037-4FA6-853E-1B00E1E96457", "versionEndExcluding": "5.4.5", "versionStartIncluding": "2.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*", "matchCriteriaId": "52DED895-3E2B-4109-96D4-59EBA368A9BA", "versionEndExcluding": "6.3.4", "versionStartIncluding": "6.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run a denial of service attack against the server running Grafana."}, {"lang": "es", "value": "En Grafana versi\u00f3n 2.x hasta la versi\u00f3n 6.x en versiones anteriores a la 6.3.4, partes de la API HTTP permiten el uso no autenticado. Esto hace posible ejecutar un ataque de denegaci\u00f3n de servicio contra el servidor que ejecuta Grafana."}], "id": "CVE-2019-15043", "lastModified": "2024-11-21T04:27:56.410", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-09-03T12:15:10.933", "references": [{"source": "cve@mitre.org", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00060.html"}, {"source": "cve@mitre.org", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00083.html"}, {"source": "cve@mitre.org", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00009.html"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://community.grafana.com/t/grafana-5-4-5-and-6-3-4-security-update/20569"}, {"source": "cve@mitre.org", "tags": ["Release Notes"], "url": "https://community.grafana.com/t/release-notes-v6-3-x/19202"}, {"source": "cve@mitre.org", "tags": ["Release Notes"], "url": "https://github.com/grafana/grafana/releases"}, {"source": "cve@mitre.org", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://grafana.com/blog/2019/08/29/grafana-5.4.5-and-6.3.4-released-with-important-security-fix/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RF5ARGYX3WYB7H2FDR7VAWTEQ27UX3FU/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UO4NBL7PKW4OSFRVZENGC42EWEJV2YAH/"}, {"source": "cve@mitre.org", "url": "https://security.netapp.com/advisory/ntap-20191004-0004/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00060.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00083.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00009.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://community.grafana.com/t/grafana-5-4-5-and-6-3-4-security-update/20569"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://community.grafana.com/t/release-notes-v6-3-x/19202"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://github.com/grafana/grafana/releases"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://grafana.com/blog/2019/08/29/grafana-5.4.5-and-6.3.4-released-with-important-security-fix/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RF5ARGYX3WYB7H2FDR7VAWTEQ27UX3FU/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UO4NBL7PKW4OSFRVZENGC42EWEJV2YAH/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.netapp.com/advisory/ntap-20191004-0004/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank the Grafana team for reporting this issue.", "affected_release": [{"advisory": "RHSA-2020:1659", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "grafana-0:6.3.6-1.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-04-28T00:00:00Z"}], "bugzilla": {"description": "grafana: incorrect access control in snapshot HTTP API leads to denial of service", "id": "1746945", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1746945"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.3", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "status": "verified"}, "cwe": "(CWE-284|CWE-200)", "details": ["In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run a denial of service attack against the server running Grafana."], "mitigation": {"lang": "en:us", "value": "Block access to the snapshot feature by blocking the /api/snapshots \nURL via a web application firewall, load balancer, reverse proxy etc.\nYou can also set 'external_enabled' to false to disable external \nsnapshot publish endpoint (default true). Note, it will completely\ndisable this feature.\n# cat /etc/grafana/grafana.ini\n[...]\n[snapshots]\n# snapshot sharing options\nexternal_enabled = false\nexternal_snapshot_url = https://snapshots-origin.raintank.io\nexternal_snapshot_name = Publish to snapshot.raintank.io\n[...]"}, "name": "CVE-2019-15043", "package_state": [{"cpe": "cpe:/a:redhat:ceph_storage:2", "fix_state": "Out of support scope", "package_name": "grafana", "product_name": "Red Hat Ceph Storage 2"}, {"cpe": "cpe:/a:redhat:ceph_storage:3", "fix_state": "Affected", "package_name": "grafana", "product_name": "Red Hat Ceph Storage 3"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Affected", "impact": "low", "package_name": "openshift3/grafana", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "impact": "low", "package_name": "openshift4/ose-grafana", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Affected", "package_name": "grafana", "product_name": "Red Hat Storage 3"}], "public_date": "2019-08-29T18:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2019-15043\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-15043\nhttps://grafana.com/blog/2019/08/29/grafana-5.4.5-and-6.3.4-released-with-important-security-fix/"], "statement": "OpenShift Container Platform secures all usages of Grafana behind the oauth-proxy, preventing access to Grafana without authentication. Red Hat Product Security have rated this vulnerability as Low for OpenShift Container Platform.\nThis issue affects the version of Grafana as shipped with Red Hat Gluster Storage 3 and Red Hat Ceph Storage 3, as it contains the vulnerable snapshot functionality.", "threat_severity": "Moderate"}

{}