{ "threat_severity" : "Moderate", "public_date" : "2020-04-23T20:00:00Z", "bugzilla" : { "description" : "grafana: information disclosure through world-readable grafana configuration files", "id" : "1829724", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1829724" }, "cvss3" : { "cvss3_base_score" : "6.2", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "status" : "verified" }, "cwe" : "CWE-732", "details" : [ "In certain Red Hat packages for Grafana 6.x through 6.3.6, the configuration files /etc/grafana/grafana.ini and /etc/grafana/ldap.toml (which contain a secret_key and a bind_password) are world readable.", "An information-disclosure flaw was found in Grafana distributed by Red Hat. This flaw allows a local attacker access to potentially sensitive information such as secret_key and a bind_password from the world-readable files /etc/grafana/grafana.ini and /etc/grafana/ldap.toml." ], "statement" : "Red Hat Ceph Storage 3 and 4 are not affected by this vulnerability, as the shared grafana container uses grafana v5.2.4 which sets correct permissions for configuration files.\nThis issue did not affect the version of grafana as shipped with Red Hat Gluster Storage 3, as it ships grafana v4.6.4 which sets correct permissions for configuration files.\nIn both OpenShift Container Platform (OCP) and OpenShift ServiceMesh (OSSM), the grafana containers set their database files to world readable. However, as it's run in a container image with SELinux MCS labels this prevents other processes on the host from reading it. Therefore, for both (OCP and OSSM) the impact is low.", "affected_release" : [ { "product_name" : "Openshift Service Mesh 1.0", "release_date" : "2020-06-02T00:00:00Z", "advisory" : "RHSA-2020:2362", "cpe" : "cpe:/a:redhat:service_mesh:1.0::el7", "package" : "jaeger-0:v1.13.1.redhat7-1.el7", "impact" : "low" }, { "product_name" : "Openshift Service Mesh 1.0", "release_date" : "2020-06-02T00:00:00Z", "advisory" : "RHSA-2020:2362", "cpe" : "cpe:/a:redhat:service_mesh:1.0::el7", "package" : "kiali-0:v1.0.11.redhat1-1.el7", "impact" : "low" }, { "product_name" : "OpenShift Service Mesh 1.0", "release_date" : "2020-06-02T00:00:00Z", "advisory" : "RHSA-2020:2362", "cpe" : "cpe:/a:redhat:service_mesh:1.0::el8", "package" : "servicemesh-grafana-0:6.2.2-36.el8", "impact" : "low" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2020-11-04T00:00:00Z", "advisory" : "RHSA-2020:4682", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "grafana-0:6.7.4-3.el8" } ], "package_state" : [ { "product_name" : "Red Hat Ceph Storage 2", "fix_state" : "Out of support scope", "package_name" : "grafana", "cpe" : "cpe:/a:redhat:ceph_storage:2" }, { "product_name" : "Red Hat Ceph Storage 3", "fix_state" : "Not affected", "package_name" : "grafana", "cpe" : "cpe:/a:redhat:ceph_storage:3" }, { "product_name" : "Red Hat Ceph Storage 3", "fix_state" : "Not affected", "package_name" : "grafana-container", "cpe" : "cpe:/a:redhat:ceph_storage:3" }, { "product_name" : "Red Hat Ceph Storage 4", "fix_state" : "Not affected", "package_name" : "rhceph/rhceph-4-dashboard-rhel8", "cpe" : "cpe:/a:redhat:ceph_storage:4" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Fix deferred", "package_name" : "openshift3/grafana", "cpe" : "cpe:/a:redhat:openshift:3.11", "impact" : "low" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Fix deferred", "package_name" : "openshift4/ose-grafana", "cpe" : "cpe:/a:redhat:openshift:4", "impact" : "low" }, { "product_name" : "Red Hat Storage 3", "fix_state" : "Not affected", "package_name" : "grafana", "cpe" : "cpe:/a:redhat:storage:3" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-12459\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-12459" ], "name" : "CVE-2020-12459", "mitigation" : { "value" : "Manually change the files permission to remove readable bits for others:\n# chmod 640 /etc/grafana/grafana.ini /etc/grafana/ldap.toml", "lang" : "en:us" }, "csaw" : false }