CVE-2020-12458
published 2020-04-29CVE-2020-12458: An information-disclosure flaw was found in Grafana through 6.7.3. The database directory /var/lib/grafana and database file /var/lib/grafana/grafana.db are…
PriorityP423medium5.5CVSS 3.1
AVLACLPRLUINSUCHINAN
EPSS
0.46%
36.9th percentile
An information-disclosure flaw was found in Grafana through 6.7.3. The database directory /var/lib/grafana and database file /var/lib/grafana/grafana.db are world readable. This can result in exposure of sensitive information (e.g., cleartext or encrypted datasource passwords).
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| github.com | grafana_grafana | >= 0 < 7.2.1 | 7.2.1 |
| grafana | grafana | <= 6.7.3 | — |
| redhat | ceph_storage | — | — |
| redhat | ceph_storage | — | — |
| redhat | enterprise_linux | — | — |
CVSS provenance
nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv2.02.1LOWAV:L/AC:L/Au:N/C:P/I:N/A:N
osv5.5MEDIUM
vendor_redhat5.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Grafana information disclosure in github.com/grafana/grafana
osv·2024-06-28
CVE-2020-12458 Grafana information disclosure in github.com/grafana/grafana
Grafana information disclosure in github.com/grafana/grafana
Grafana information disclosure in github.com/grafana/grafana.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affected modules and versions are: github.com/grafana/grafana before v7.2.1.
OSV
Grafana information disclosure
osv·2022-05-24
CVE-2020-12458 [HIGH] Grafana information disclosure
Grafana information disclosure
An information-disclosure flaw was found in Grafana. The database directory `/var/lib/grafana` and database file `/var/lib/grafana/grafana.db` are world readable. This can result in exposure of sensitive information (e.g., cleartext or encrypted datasource passwords).
GHSA
Grafana information disclosure
ghsa·2022-05-24
CVE-2020-12458 [HIGH] CWE-312 Grafana information disclosure
Grafana information disclosure
An information-disclosure flaw was found in Grafana. The database directory `/var/lib/grafana` and database file `/var/lib/grafana/grafana.db` are world readable. This can result in exposure of sensitive information (e.g., cleartext or encrypted datasource passwords).
OSV
CVE-2020-12458: An information-disclosure flaw was found in Grafana through 6
osv·2020-04-29·CVSS 5.5
CVE-2020-12458 [MEDIUM] CVE-2020-12458: An information-disclosure flaw was found in Grafana through 6
An information-disclosure flaw was found in Grafana through 6.7.3. The database directory /var/lib/grafana and database file /var/lib/grafana/grafana.db are world readable. This can result in exposure of sensitive information (e.g., cleartext or encrypted datasource passwords).
Red Hat
grafana: information disclosure through world-readable /var/lib/grafana/grafana.db
vendor_redhat·2020-04-23·CVSS 5.5
CVE-2020-12458 [MEDIUM] CWE-732 grafana: information disclosure through world-readable /var/lib/grafana/grafana.db
grafana: information disclosure through world-readable /var/lib/grafana/grafana.db
An information-disclosure flaw was found in Grafana through 6.7.3. The database directory /var/lib/grafana and database file /var/lib/grafana/grafana.db are world readable. This can result in exposure of sensitive information (e.g., cleartext or encrypted datasource passwords).
An information-disclosure flaw was found in the way Grafana set permissions for the database directory and file. This flaw allows a local attacker access to potentially sensitive information such as cleartext or encrypted datasource passwords from /var/lib/grafana/grafana.db.
Statement: The versions of grafana shipped with Red Hat Gluster Storage 3, Red Hat Ceph Storage 3 and 4 sets the world readable permissions on grafana databas
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2020-12458 grafana: information disclosure through world-readable /var/lib/grafana/grafana.db [fedora-all]
bugzilla·2020-04-28·CVSS 5.5
CVE-2020-12458 [MEDIUM] CVE-2020-12458 grafana: information disclosure through world-readable /var/lib/grafana/grafana.db [fedora-all]
CVE-2020-12458 grafana: information disclosure through world-readable /var/lib/grafana/grafana.db [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue af
Bugzilla
CVE-2020-12458 grafana: information disclosure through world-readable /var/lib/grafana/grafana.db
bugzilla·2020-04-24·CVSS 5.5
CVE-2020-12458 [MEDIUM] CVE-2020-12458 grafana: information disclosure through world-readable /var/lib/grafana/grafana.db
CVE-2020-12458 grafana: information disclosure through world-readable /var/lib/grafana/grafana.db
An information-disclosure flaw was found in Grafana through 6.7.3. The database directory /var/lib/grafana and database file /var/lib/grafana/grafana.db are world readable. This can result in exposure of sensitive information (e.g., cleartext or encrypted datasource passwords).
Notable fixes which removes readable bits:
- change permissions of /var/lib/grafana/grafana.db to 640 and user/group grafana:grafana
- change permissions of /var/lib/grafana to 750
Commits:
https://src.fedoraproject.org/rpms/grafana/c/fab93d67363eb0a9678d9faf160cc88237f26277
https://src.fedoraproject.org/rpms/grafana/c/925160cd8de011ab33609023abf961f4ff6ba804
https://src.fedoraproject.org/rpms/grafana/c/f7791a6ad70
https://access.redhat.com/security/cve/CVE-2020-12458https://bugzilla.redhat.com/show_bug.cgi?id=1827765https://github.com/grafana/grafana/issues/8283https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CTQCKJZZYXMCSHJFZZ3YXEO5NUBANGZS/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WEBCIEVSYIDDCA7FTRS2IFUOYLIQU34A/https://security.netapp.com/advisory/ntap-20200518-0001/https://access.redhat.com/security/cve/CVE-2020-12458https://bugzilla.redhat.com/show_bug.cgi?id=1827765https://github.com/grafana/grafana/issues/8283https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CTQCKJZZYXMCSHJFZZ3YXEO5NUBANGZS/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WEBCIEVSYIDDCA7FTRS2IFUOYLIQU34A/https://security.netapp.com/advisory/ntap-20200518-0001/
2020-04-29
Published