CVE-2020-12459
published 2020-04-29CVE-2020-12459: In certain Red Hat packages for Grafana 6.x through 6.3.6, the configuration files /etc/grafana/grafana.ini and /etc/grafana/ldap.toml (which contain a…
PriorityP422medium5.5CVSS 3.1
AVLACLPRLUINSUCHINAN
EPSS
0.32%
23.5th percentile
In certain Red Hat packages for Grafana 6.x through 6.3.6, the configuration files /etc/grafana/grafana.ini and /etc/grafana/ldap.toml (which contain a secret_key and a bind_password) are world readable.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| github.com | grafana_grafana | >= 6.0.0-beta1 < 7.2.1 | 7.2.1 |
| grafana | grafana | 6.0.0 – 6.3.6 | — |
CVSS provenance
nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv2.02.1LOWAV:L/AC:L/Au:N/C:P/I:N/A:N
vendor_redhat5.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Grafana world readable configuration files in github.com/grafana/grafana
osv·2024-07-02
CVE-2020-12459 Grafana world readable configuration files in github.com/grafana/grafana
Grafana world readable configuration files in github.com/grafana/grafana
Grafana world readable configuration files in github.com/grafana/grafana.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affected modules and versions are: github.com/grafana/grafana from v6.0.0 before v7.2.1.
GHSA
Grafana world readable configuration files
ghsa·2022-05-24
CVE-2020-12459 [HIGH] CWE-200 Grafana world readable configuration files
Grafana world readable configuration files
In certain Red Hat packages for Grafana 6.x through 6.3.6, the configuration files `/etc/grafana/grafana.ini` and `/etc/grafana/ldap.toml` (which contain a secret_key and a bind_password) are world readable.
OSV
Grafana world readable configuration files
osv·2022-05-24
CVE-2020-12459 [HIGH] Grafana world readable configuration files
Grafana world readable configuration files
In certain Red Hat packages for Grafana 6.x through 6.3.6, the configuration files `/etc/grafana/grafana.ini` and `/etc/grafana/ldap.toml` (which contain a secret_key and a bind_password) are world readable.
Red Hat
grafana: information disclosure through world-readable grafana configuration files
vendor_redhat·2020-04-23·CVSS 5.5
CVE-2020-12459 [MEDIUM] CWE-732 grafana: information disclosure through world-readable grafana configuration files
grafana: information disclosure through world-readable grafana configuration files
In certain Red Hat packages for Grafana 6.x through 6.3.6, the configuration files /etc/grafana/grafana.ini and /etc/grafana/ldap.toml (which contain a secret_key and a bind_password) are world readable.
An information-disclosure flaw was found in Grafana distributed by Red Hat. This flaw allows a local attacker access to potentially sensitive information such as secret_key and a bind_password from the world-readable files /etc/grafana/grafana.ini and /etc/grafana/ldap.toml.
Statement: Red Hat Ceph Storage 3 and 4 are not affected by this vulnerability, as the shared grafana container uses grafana v5.2.4 which sets correct permissions for configuration files.
This issue did not affect the version of grafa
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2020-12459 grafana: information disclosure through world-readable grafana configuration files [fedora-all]
bugzilla·2020-04-30·CVSS 5.5
CVE-2020-12459 [MEDIUM] CVE-2020-12459 grafana: information disclosure through world-readable grafana configuration files [fedora-all]
CVE-2020-12459 grafana: information disclosure through world-readable grafana configuration files [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue af
Bugzilla
CVE-2020-12459 grafana: information disclosure through world-readable grafana configuration files [fedora-all]
bugzilla·2020-04-30·CVSS 5.5
CVE-2020-12459 [MEDIUM] CVE-2020-12459 grafana: information disclosure through world-readable grafana configuration files [fedora-all]
CVE-2020-12459 grafana: information disclosure through world-readable grafana configuration files [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue af
Bugzilla
CVE-2020-12459 grafana: information disclosure through world-readable grafana configuration files
bugzilla·2020-04-30·CVSS 5.5
CVE-2020-12459 [MEDIUM] CVE-2020-12459 grafana: information disclosure through world-readable grafana configuration files
CVE-2020-12459 grafana: information disclosure through world-readable grafana configuration files
For Grafana versions 6.x through 6.4.3 distributed by Red Hat, configuration files /etc/grafana/grafana.ini and /etc/grafana/ldap.toml which contains secret_key and bind_password are world readable.
Grafana Versions 5.x : sets correct file permission 0640
%files
[...]
%attr(0640, root, grafana) %{_sysconfdir}/%{name}/grafana.ini
%attr(0640, root, grafana) %{_sysconfdir}/%{name}/ldap.toml
Grafana Version 6.x through 6.4.3 : sets insecure file permission 0644
# config defaults
install -p -m 644 conf/distro-defaults.ini \
%{buildroot}%{_sysconfdir}/%{binary_name}/grafana.ini
install -p -m 644 conf/distro-defaults.ini \
%{buildroot}%{_datadir}/%{binary_name}/conf/defaults.ini
install -p -m 64
Bugzilla
CVE-2020-1697 keycloak: stored XSS in client settings via application links
bugzilla·2020-01-16·CVSS 6.1
CVE-2020-1697 [MEDIUM] CVE-2020-1697 keycloak: stored XSS in client settings via application links
CVE-2020-1697 keycloak: stored XSS in client settings via application links
During the assessment of the Admin Console application, it was found that links to external applications, so called Application Links, does not get validated properly and therefore are prone to Stored XSS attacks. The affected parameter BaseURL within the Clients settings page from the admin console application accepts any characters and therefore it is possible to insert URLs with the javascript
https://issues.redhat.com/browse/KEYCLOAK-12459
Discussion:
Acknowledgments:
Name: Cure53 Berlin
---
This issue has been addressed in the following products:
Red Hat Runtimes Spring Boot 2.2.6
Via RHSA-2020:2252 https://access.redhat.com/errata/RHSA-2020:2252
---
This bug is now closed. Further updates for indiv
https://access.redhat.com/security/cve/CVE-2020-12459https://bugzilla.redhat.com/show_bug.cgi?id=1829724https://github.com/grafana/grafana/issues/8283https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CTQCKJZZYXMCSHJFZZ3YXEO5NUBANGZS/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WEBCIEVSYIDDCA7FTRS2IFUOYLIQU34A/https://security.netapp.com/advisory/ntap-20200518-0004/https://src.fedoraproject.org/rpms/grafana/c/fab93d67363eb0a9678d9faf160cc88237f26277https://access.redhat.com/security/cve/CVE-2020-12459https://bugzilla.redhat.com/show_bug.cgi?id=1829724https://github.com/grafana/grafana/issues/8283https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CTQCKJZZYXMCSHJFZZ3YXEO5NUBANGZS/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WEBCIEVSYIDDCA7FTRS2IFUOYLIQU34A/https://security.netapp.com/advisory/ntap-20200518-0004/https://src.fedoraproject.org/rpms/grafana/c/fab93d67363eb0a9678d9faf160cc88237f26277
2020-04-29
Published