{
  "threat_severity" : "Moderate",
  "public_date" : "2020-04-23T20:00:00Z",
  "bugzilla" : {
    "description" : "grafana: information disclosure through world-readable /var/lib/grafana/grafana.db",
    "id" : "1827765",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1827765"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.2",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-732",
  "details" : [ "An information-disclosure flaw was found in Grafana through 6.7.3. The database directory /var/lib/grafana and database file /var/lib/grafana/grafana.db are world readable. This can result in exposure of sensitive information (e.g., cleartext or encrypted datasource passwords).", "An information-disclosure flaw was found in the way Grafana set permissions for the database directory and file. This flaw allows a local attacker access to potentially sensitive information such as cleartext or encrypted datasource passwords from /var/lib/grafana/grafana.db." ],
  "statement" : "The versions of grafana shipped with Red Hat Gluster Storage 3, Red Hat Ceph Storage 3 and 4 sets the world readable permissions on grafana database directory and file, hence affected by this vulnerability.\nIn both OpenShift Container Platform (OCP) and OpenShift ServiceMesh (OSSM), the grafana containers set their database files to world readable. However, as it's run in a container image with SELinux MCS labels this prevents other processes on the host from reading it. Therefore, for both (OCP and OSSM) the impact is low.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2020-11-04T00:00:00Z",
    "advisory" : "RHSA-2020:4682",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "grafana-0:6.7.4-3.el8"
  } ],
  "package_state" : [ {
    "product_name" : "OpenShift Service Mesh 1",
    "fix_state" : "Fix deferred",
    "package_name" : "servicemesh-grafana",
    "cpe" : "cpe:/a:redhat:service_mesh:1",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat Ceph Storage 2",
    "fix_state" : "Out of support scope",
    "package_name" : "grafana",
    "cpe" : "cpe:/a:redhat:ceph_storage:2"
  }, {
    "product_name" : "Red Hat Ceph Storage 3",
    "fix_state" : "Will not fix",
    "package_name" : "grafana",
    "cpe" : "cpe:/a:redhat:ceph_storage:3"
  }, {
    "product_name" : "Red Hat Ceph Storage 3",
    "fix_state" : "Will not fix",
    "package_name" : "grafana-container",
    "cpe" : "cpe:/a:redhat:ceph_storage:3"
  }, {
    "product_name" : "Red Hat Ceph Storage 4",
    "fix_state" : "Will not fix",
    "package_name" : "rhceph/rhceph-4-dashboard-rhel8",
    "cpe" : "cpe:/a:redhat:ceph_storage:4"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 3.11",
    "fix_state" : "Fix deferred",
    "package_name" : "openshift3/grafana",
    "cpe" : "cpe:/a:redhat:openshift:3.11",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Fix deferred",
    "package_name" : "openshift4/ose-grafana",
    "cpe" : "cpe:/a:redhat:openshift:4",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat Storage 3",
    "fix_state" : "Will not fix",
    "package_name" : "grafana",
    "cpe" : "cpe:/a:redhat:storage:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-12458\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-12458" ],
  "name" : "CVE-2020-12458",
  "mitigation" : {
    "value" : "Manually change the directory and files permissions to remove readable bits for others:\n# chmod 750 /var/lib/grafana\n# chmod 640 /var/lib/grafana/grafana.db\n# chown grafana:grafana /var/lib/grafana/grafana.db",
    "lang" : "en:us"
  },
  "csaw" : false
}