{
  "threat_severity" : "Moderate",
  "public_date" : "2020-08-27T00:00:00Z",
  "bugzilla" : {
    "description" : "grafana: arbitrary file read via MySQL data source",
    "id" : "1873615",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1873615"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-88->CWE-200",
  "details" : [ "Grafana <= 6.4.3 has an Arbitrary File Read vulnerability, which could be exploited by an authenticated attacker that has privileges to modify the data source configurations.", "Grafana has an Arbitrary File Read vulnerability, which could be exploited by an authenticated attacker that has privileges to modify the data source configurations." ],
  "statement" : "A vulnerable version of Grafana is shipped in OpenShift 3.11 and OpenShift ServiceMesh, however Prometheus is used as a data source and modification to MySQL requires full control of the grafana component. Access is restricted to authenticated users only by OpenShift OAuth. As OpenShift and OpenShift ServiceMesh still packages the vulnerable code, the components are affected but with impact Low. \nRed Hat Ceph Storage 3 and 4 ships an older version of the affected code, which is still possible to exploit. However, Ceph 3 and 4 do not use mysql as a datasource, therefore, the impact is low.\nRed Hat Gluster Storage 3 ships vulnerable version of grafana, however Graphite is the only supported data source and hence this issue has been rated as having a security impact of Low.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2020-11-04T00:00:00Z",
    "advisory" : "RHSA-2020:4682",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "grafana-0:6.7.4-3.el8"
  } ],
  "package_state" : [ {
    "product_name" : "OpenShift Service Mesh 1",
    "fix_state" : "Fix deferred",
    "package_name" : "servicemesh-grafana",
    "cpe" : "cpe:/a:redhat:service_mesh:1",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat Ceph Storage 2",
    "fix_state" : "Out of support scope",
    "package_name" : "grafana",
    "cpe" : "cpe:/a:redhat:ceph_storage:2"
  }, {
    "product_name" : "Red Hat Ceph Storage 3",
    "fix_state" : "Fix deferred",
    "package_name" : "grafana",
    "cpe" : "cpe:/a:redhat:ceph_storage:3",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat Ceph Storage 3",
    "fix_state" : "Fix deferred",
    "package_name" : "grafana-container",
    "cpe" : "cpe:/a:redhat:ceph_storage:3",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat Ceph Storage 4",
    "fix_state" : "Fix deferred",
    "package_name" : "rhceph/rhceph-4-dashboard-rhel8",
    "cpe" : "cpe:/a:redhat:ceph_storage:4",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 3.11",
    "fix_state" : "Fix deferred",
    "package_name" : "openshift3/grafana",
    "cpe" : "cpe:/a:redhat:openshift:3.11",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Not affected",
    "package_name" : "openshift4/ose-grafana",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat Storage 3",
    "fix_state" : "Fix deferred",
    "package_name" : "grafana",
    "cpe" : "cpe:/a:redhat:storage:3",
    "impact" : "low"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2019-19499\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-19499\nhttps://swarm.ptsecurity.com/grafana-6-4-3-arbitrary-file-read/" ],
  "name" : "CVE-2019-19499",
  "csaw" : false
}