CVE-2018-19039
grafana: File exfiltration
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Grafana before 4.6.5 and 5.x before 5.3.3 allows remote authenticated users to read arbitrary files by leveraging Editor or Admin permissions.
Grafana en versiones anteriores a la 4.6.5 y versiones 5.x anteriores a la 5.3.3 permite que usuarios autenticados remotos lean archivos arbitrarios aprovechando los permisos Editor o Admin.
A security issue was found that could allow any users with Editor or Admin permissions in Grafana to read any file that the Grafana process can read from the filesystem. However, in order to exploit this issue you would need to be logged in to the system as a legitimate user with Editor or Admin permissions.
Red Hat Ceph Storage is a scalable, open, software-defined storage platform that combines the most stable version of the Ceph storage system with a Ceph management platform, deployment utilities, and support services. A file exfiltration issue was addressed.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2018-11-06 CVE Reserved
- 2018-12-13 CVE Published
- 2024-08-05 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CAPEC
References (9)
| URL | Tag | Source |
|---|---|---|
| http://www.securityfocus.com/bid/105994 | Third Party Advisory | |
| https://security.netapp.com/advisory/ntap-20190416-0004 | Third Party Advisory |
|
| https://www.percona.com/blog/2018/11/20/how-cve-2018-19039-affects-percona-monitoring-and-management | Third Party Advisory |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://community.grafana.com/t/grafana-5-3-3-and-4-6-5-security-update/11961 | 2020-10-04 |
| URL | Date | SRC |
|---|---|---|
| http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00009.html | 2020-10-04 | |
| https://access.redhat.com/errata/RHSA-2019:0747 | 2020-10-04 | |
| https://access.redhat.com/errata/RHSA-2019:0911 | 2020-10-04 | |
| https://access.redhat.com/security/cve/CVE-2018-19039 | 2019-04-30 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1649697 | 2019-04-30 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Grafana Search vendor "Grafana" | Grafana Search vendor "Grafana" for product "Grafana" | < 4.6.5 Search vendor "Grafana" for product "Grafana" and version " < 4.6.5" | - |
Affected
| ||||||
| Grafana Search vendor "Grafana" | Grafana Search vendor "Grafana" for product "Grafana" | >= 5.0.0 < 5.3.3 Search vendor "Grafana" for product "Grafana" and version " >= 5.0.0 < 5.3.3" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Ceph Storage Search vendor "Redhat" for product "Ceph Storage" | 3.0 Search vendor "Redhat" for product "Ceph Storage" and version "3.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Enterprise Linux Desktop Search vendor "Redhat" for product "Enterprise Linux Desktop" | 7.0 Search vendor "Redhat" for product "Enterprise Linux Desktop" and version "7.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Enterprise Linux Server Search vendor "Redhat" for product "Enterprise Linux Server" | 7.0 Search vendor "Redhat" for product "Enterprise Linux Server" and version "7.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Enterprise Linux Workstation Search vendor "Redhat" for product "Enterprise Linux Workstation" | 7.0 Search vendor "Redhat" for product "Enterprise Linux Workstation" and version "7.0" | - |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Active Iq Performance Analytics Services Search vendor "Netapp" for product "Active Iq Performance Analytics Services" | - | - |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Storagegrid Webscale Nas Bridge Search vendor "Netapp" for product "Storagegrid Webscale Nas Bridge" | - | - |
Affected
| ||||||