CVE-2020-12458 — Incorrect Permission Assignment in Grafana Grafana

CWE-732 — Incorrect Permission Assignment CWE-312 — Cleartext Storage of Sensitive Info9 documents6 sources

Severity

5.5MEDIUMNVD

EPSS

0.1%

top 78.68%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Grafana Grafana Grafana Fedoraproject Fedora +2 more

Timeline

PublishedApr 29

Latest updateJun 28

Description

An information-disclosure flaw was found in Grafana through 6.7.3. The database directory /var/lib/grafana and database file /var/lib/grafana/grafana.db are world readable. This can result in exposure of sensitive information (e.g., cleartext or encrypted datasource passwords).

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages3 packages

▶Gogithub.com/grafana_grafana< 7.2.1

▶NVDgrafana/grafana6.7.3

▶NVDredhat/ceph_storage3.0, 4.0+1

Also affects: Fedora 31, 32, Enterprise Linux 8.0

🔴Vulnerability Details

OSV

Grafana information disclosure in github.com/grafana/grafana↗2024-06-28

▶

OSV

Grafana information disclosure↗2022-05-24

▶

GHSA

Grafana information disclosure↗2022-05-24

▶

OSV

CVE-2020-12458: An information-disclosure flaw was found in Grafana through 6↗2020-04-29

▶

CVEList

CVE-2020-12458: An information-disclosure flaw was found in Grafana through 6↗2020-04-29

▶

📋Vendor Advisories

Red Hat

grafana: information disclosure through world-readable /var/lib/grafana/grafana.db↗2020-04-23

▶

💬Community

Bugzilla

CVE-2020-12458 grafana: information disclosure through world-readable /var/lib/grafana/grafana.db [fedora-all]↗2020-04-28

▶

Bugzilla

CVE-2020-12458 grafana: information disclosure through world-readable /var/lib/grafana/grafana.db↗2020-04-24

▶