CVE-2019-19499 — SQL Injection in Grafana Grafana

CWE-89 — SQL Injection CWE-200 — Sensitive Information Exposure CWE-22 — Path Traversal CWE-88 — Argument Injection8 documents6 sources

Severity

6.5MEDIUMNVD

EPSS

43.9%

top 2.46%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Grafana Grafana Grafana

Timeline

PublishedAug 28

Latest updateMar 28

Description

Grafana <= 6.4.3 has an Arbitrary File Read vulnerability, which could be exploited by an authenticated attacker that has privileges to modify the data source configurations.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

▶Gogithub.com/grafana_grafana< 6.4.4

▶NVDgrafana/grafana6.4.3

🔴Vulnerability Details

OSV

Arbitrary file read in github.com/grafana/grafana↗2024-03-28

▶

GHSA

Grafana Arbitrary File Read↗2024-01-31

▶

OSV

Grafana Arbitrary File Read↗2024-01-31

▶

OSV

CVE-2019-19499: Grafana <= 6↗2020-08-28

▶

CVEList

CVE-2019-19499: Grafana <= 6↗2020-08-28

▶

📋Vendor Advisories

Red Hat

grafana: arbitrary file read via MySQL data source↗2020-08-27

▶

💬Community

Bugzilla

CVE-2019-19499 grafana: arbitrary file read via MySQL data source↗2020-08-28

▶