{
  "threat_severity" : "Moderate",
  "public_date" : "2018-11-13T00:00:00Z",
  "bugzilla" : {
    "description" : "grafana: File exfiltration",
    "id" : "1649697",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1649697"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.5",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-200",
  "details" : [ "Grafana before 4.6.5 and 5.x before 5.3.3 allows remote authenticated users to read arbitrary files by leveraging Editor or Admin permissions.", "A security issue was found that could allow any users with Editor or Admin permissions in Grafana to read any file that the Grafana process can read from the filesystem. However, in order to exploit this issue you would need to be logged in to the system as a legitimate user with Editor or Admin permissions." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Ceph Storage 2.5 for Red Hat Enterprise Linux 7",
    "release_date" : "2019-04-11T00:00:00Z",
    "advisory" : "RHSA-2019:0747",
    "cpe" : "cpe:/a:redhat:ceph_storage:2::el7",
    "package" : "ceph-2:10.2.10-49.el7cp"
  }, {
    "product_name" : "Red Hat Ceph Storage 2.5 for Red Hat Enterprise Linux 7",
    "release_date" : "2019-04-11T00:00:00Z",
    "advisory" : "RHSA-2019:0747",
    "cpe" : "cpe:/a:redhat:ceph_storage:2::el7",
    "package" : "grafana-0:4.3.2-4.el7cp"
  }, {
    "product_name" : "Red Hat Ceph Storage 3.2",
    "release_date" : "2019-04-30T00:00:00Z",
    "advisory" : "RHSA-2019:0911",
    "cpe" : "cpe:/a:redhat:ceph_storage:3::el7",
    "package" : "ceph-2:12.2.8-128.el7cp"
  }, {
    "product_name" : "Red Hat Ceph Storage 3.2",
    "release_date" : "2019-04-30T00:00:00Z",
    "advisory" : "RHSA-2019:0911",
    "cpe" : "cpe:/a:redhat:ceph_storage:3::el7",
    "package" : "ceph-ansible-0:3.2.15-1.el7cp"
  }, {
    "product_name" : "Red Hat Ceph Storage 3.2",
    "release_date" : "2019-04-30T00:00:00Z",
    "advisory" : "RHSA-2019:0911",
    "cpe" : "cpe:/a:redhat:ceph_storage:3::el7",
    "package" : "grafana-0:5.2.4-2.el7cp"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat OpenShift Container Platform 3.11",
    "fix_state" : "Affected",
    "package_name" : "openshift3/grafana",
    "cpe" : "cpe:/a:redhat:openshift:3.11"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Not affected",
    "package_name" : "openshift4/ose-grafana",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat OpenStack Platform 8 (Liberty) Operational Tools",
    "fix_state" : "Will not fix",
    "package_name" : "grafana",
    "cpe" : "cpe:/a:redhat:openstack-optools:8"
  }, {
    "product_name" : "Red Hat OpenStack Platform 9 (Mitaka) Operational Tools",
    "fix_state" : "Will not fix",
    "package_name" : "grafana",
    "cpe" : "cpe:/a:redhat:openstack-optools:9"
  }, {
    "product_name" : "Red Hat Storage 3",
    "fix_state" : "Will not fix",
    "package_name" : "grafana",
    "cpe" : "cpe:/a:redhat:storage:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2018-19039\nhttps://nvd.nist.gov/vuln/detail/CVE-2018-19039\nhttps://community.grafana.com/t/grafana-5-3-3-and-4-6-5-security-update/11961" ],
  "name" : "CVE-2018-19039",
  "csaw" : false
}