Details of VAR-201909-0885

ID

VAR-201909-0885

CVE

CVE-2019-15043

TITLE

Grafana Access Control Error Vulnerability

Trust: 1.2

sources: CNVD: CNVD-2019-30484 // CNNVD: CNNVD-201908-2274

DESCRIPTION

In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run a denial of service attack against the server running Grafana. Grafana Contains an access control vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Grafana is a set of open source monitoring tools that provide a visual monitoring interface at Grafana Labs. This tool is mainly used to monitor and analyze Graphite, InfluxDB and Prometheus. An access control error vulnerability exists in Grafana that could be exploited by an attacker to cause a denial of service. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: grafana security, bug fix, and enhancement update Advisory ID: RHSA-2020:1659-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:1659 Issue date: 2020-04-28 CVE Names: CVE-2019-15043 ==================================================================== 1. Summary: An update for grafana is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64 3. Description: Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB. The following packages have been upgraded to a later upstream version: grafana (6.3.6). (BZ#1725278) Security Fix(es): * grafana: incorrect access control in snapshot HTTP API leads to denial of service (CVE-2019-15043) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.2 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Package List: Red Hat Enterprise Linux AppStream (v. 8): Source: grafana-6.3.6-1.el8.src.rpm aarch64: grafana-6.3.6-1.el8.aarch64.rpm grafana-azure-monitor-6.3.6-1.el8.aarch64.rpm grafana-cloudwatch-6.3.6-1.el8.aarch64.rpm grafana-debuginfo-6.3.6-1.el8.aarch64.rpm grafana-elasticsearch-6.3.6-1.el8.aarch64.rpm grafana-graphite-6.3.6-1.el8.aarch64.rpm grafana-influxdb-6.3.6-1.el8.aarch64.rpm grafana-loki-6.3.6-1.el8.aarch64.rpm grafana-mssql-6.3.6-1.el8.aarch64.rpm grafana-mysql-6.3.6-1.el8.aarch64.rpm grafana-opentsdb-6.3.6-1.el8.aarch64.rpm grafana-postgres-6.3.6-1.el8.aarch64.rpm grafana-prometheus-6.3.6-1.el8.aarch64.rpm grafana-stackdriver-6.3.6-1.el8.aarch64.rpm ppc64le: grafana-6.3.6-1.el8.ppc64le.rpm grafana-azure-monitor-6.3.6-1.el8.ppc64le.rpm grafana-cloudwatch-6.3.6-1.el8.ppc64le.rpm grafana-debuginfo-6.3.6-1.el8.ppc64le.rpm grafana-elasticsearch-6.3.6-1.el8.ppc64le.rpm grafana-graphite-6.3.6-1.el8.ppc64le.rpm grafana-influxdb-6.3.6-1.el8.ppc64le.rpm grafana-loki-6.3.6-1.el8.ppc64le.rpm grafana-mssql-6.3.6-1.el8.ppc64le.rpm grafana-mysql-6.3.6-1.el8.ppc64le.rpm grafana-opentsdb-6.3.6-1.el8.ppc64le.rpm grafana-postgres-6.3.6-1.el8.ppc64le.rpm grafana-prometheus-6.3.6-1.el8.ppc64le.rpm grafana-stackdriver-6.3.6-1.el8.ppc64le.rpm s390x: grafana-6.3.6-1.el8.s390x.rpm grafana-azure-monitor-6.3.6-1.el8.s390x.rpm grafana-cloudwatch-6.3.6-1.el8.s390x.rpm grafana-debuginfo-6.3.6-1.el8.s390x.rpm grafana-elasticsearch-6.3.6-1.el8.s390x.rpm grafana-graphite-6.3.6-1.el8.s390x.rpm grafana-influxdb-6.3.6-1.el8.s390x.rpm grafana-loki-6.3.6-1.el8.s390x.rpm grafana-mssql-6.3.6-1.el8.s390x.rpm grafana-mysql-6.3.6-1.el8.s390x.rpm grafana-opentsdb-6.3.6-1.el8.s390x.rpm grafana-postgres-6.3.6-1.el8.s390x.rpm grafana-prometheus-6.3.6-1.el8.s390x.rpm grafana-stackdriver-6.3.6-1.el8.s390x.rpm x86_64: grafana-6.3.6-1.el8.x86_64.rpm grafana-azure-monitor-6.3.6-1.el8.x86_64.rpm grafana-cloudwatch-6.3.6-1.el8.x86_64.rpm grafana-debuginfo-6.3.6-1.el8.x86_64.rpm grafana-elasticsearch-6.3.6-1.el8.x86_64.rpm grafana-graphite-6.3.6-1.el8.x86_64.rpm grafana-influxdb-6.3.6-1.el8.x86_64.rpm grafana-loki-6.3.6-1.el8.x86_64.rpm grafana-mssql-6.3.6-1.el8.x86_64.rpm grafana-mysql-6.3.6-1.el8.x86_64.rpm grafana-opentsdb-6.3.6-1.el8.x86_64.rpm grafana-postgres-6.3.6-1.el8.x86_64.rpm grafana-prometheus-6.3.6-1.el8.x86_64.rpm grafana-stackdriver-6.3.6-1.el8.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2019-15043 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.2_release_notes/index 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXqhVtdzjgjWX9erEAQjjzQ//UMQ+3TmzrSdgb9VpHE0EhP2PMJi7A9oo aieBhGN/4wPHmCoH2XHNSQPLkrmJf49ZkIPYzPcoZjs/DQ/oy7J/dT/nVNsW9Aul /JSVeWjlgNqFn4gZFe5LCtgqzt48FL/hSt1NgPqmpZWmyx1JXThTOed3PcbptmLO FgIj3Lhs7kcZk/LTvXNC4L3UyhUn5PJK+mXzAtNWTvW0Ca2cWGRVCtbssI/m87IL AR84wXaVj8xW054DLlojDfigUFXTlJr4PFM6tfFJwxUzgev8Xb6Sg09PM48FEd2L B7f1W9xb/27cqj0BDapp3vj8+ViKDOIDGeDZxlxdFMkQaK1mHNWOuNiIZCiGBDVd ++OX/wjjxbnfUiRd/ounQLZadta4D9c6qs+xORwHaPVy6hAOeV9UELDY+nmXo3tO GDGPAmLyJqdYZR/4PO1O0Gp7/dOyL+51J57QpD/7coGrwAikkm9hF2bI1WabRe01 nx/DEFdjOtmHXPR7g41BroCr81bom+J7SCru9MotBCVUm5HbW42mhPxixkb70Tlu +yUfSLZFO5Ve8VTF+/eMx817pwLQP/a6lkbJzVwwCYMIsgaaEgKXPj5BLM5P7hKk HyvYc7bWku+csEfM2Cf0qHFIYYxgBqZIp14UU70MZ0J6HQIMWCHXJqngUAzkvqR4 k/AjDHhUTII=yev2 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce

Trust: 2.34

sources: NVD: CVE-2019-15043 // JVNDB: JVNDB-2019-008892 // CNVD: CNVD-2019-30484 // VULMON: CVE-2019-15043 // PACKETSTORM: 157468

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2019-30484

AFFECTED PRODUCTS

vendor:	grafana	model:	grafana	scope:	lt	version:	5.4.5	Trust: 1.0
vendor:	grafana	model:	grafana	scope:	gte	version:	6.0.0	Trust: 1.0
vendor:	grafana	model:	grafana	scope:	gte	version:	2.0.0	Trust: 1.0
vendor:	grafana	model:	grafana	scope:	lt	version:	6.3.4	Trust: 1.0
vendor:	grafana	model:	grafana	scope:	eq	version:	6.3.4	Trust: 0.8
vendor:	grafana	model:	grafana	scope:	lt	version:	6.x for up to 2.x	Trust: 0.8
vendor:	grafana	model:	grafana	scope:	gte	version:	2.,<=6.	Trust: 0.6

sources: CNVD: CNVD-2019-30484 // JVNDB: JVNDB-2019-008892 // NVD: CVE-2019-15043

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-15043
value:	HIGH
Trust: 1.0
NVD:	CVE-2019-15043
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2019-30484
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201908-2274
value:	HIGH
Trust: 0.6
VULMON:	CVE-2019-15043
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2019-15043
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
CNVD:	CNVD-2019-30484
severity:	HIGH
baseScore:	7.8
vectorString:	AV:N/AC:L/AU:N/C:N/I:N/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2019-15043
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.0
Trust: 1.8

sources: CNVD: CNVD-2019-30484 // VULMON: CVE-2019-15043 // JVNDB: JVNDB-2019-008892 // CNNVD: CNNVD-201908-2274 // NVD: CVE-2019-15043

PROBLEMTYPE DATA

problemtype:	CWE-306	Trust: 1.0
problemtype:	CWE-284	Trust: 0.8

sources: JVNDB: JVNDB-2019-008892 // NVD: CVE-2019-15043

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201908-2274

TYPE

access control error

Trust: 0.6

sources: CNNVD: CNNVD-201908-2274

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-008892

PATCH

title:	Releases	url:	https://github.com/grafana/grafana/releases	Trust: 0.8
title:	Grafana 5.4.5 and 6.3.4 Security Update	url:	https://community.grafana.com/t/grafana-5-4-5-and-6-3-4-security-update/20569	Trust: 0.8
title:	Release Notes v6.3.x	url:	https://community.grafana.com/t/release-notes-v6-3-x/19202	Trust: 0.8
title:	1Grafana 5.4.5 and 6.3.4 Released with Important Security Fix	url:	https://grafana.com/blog/2019/08/29/grafana-5.4.5-and-6.3.4-released-with-important-security-fix/	Trust: 0.8
title:	Patch for Grafana Access Control Error Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/179003	Trust: 0.6
title:	Grafana Fixes for access control error vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=97782	Trust: 0.6
title:	Red Hat: Moderate: grafana security, bug fix, and enhancement update	url:	https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20201659 - Security Advisory	Trust: 0.1
title:	Arch Linux Issues:	url:	https://vulmon.com/vendoradvisory?qidtp=arch_linux_issues&qid=CVE-2019-15043	Trust: 0.1
title:	CVE-2019-15043 POC	url:	https://github.com/h0ffayyy/CVE-2019-15043	Trust: 0.1
title:	CVE-POC	url:	https://github.com/n1sh1th/CVE-POC	Trust: 0.1
title:	F5の脆弱性情報	url:	https://github.com/DNTYO/F5_Vulnerability	Trust: 0.1
title:	Nuclei Templates Resources	url:	https://github.com/merlinepedra25/nuclei-templates	Trust: 0.1
title:	Nuclei Templates Resources	url:	https://github.com/merlinepedra/nuclei-templates	Trust: 0.1
title:	Kenzer Templates [1289]	url:	https://github.com/Elsfa7-110/kenzer-templates	Trust: 0.1
title:	PoC in GitHub	url:	https://github.com/developer3000S/PoC-in-GitHub	Trust: 0.1
title:	PoC in GitHub	url:	https://github.com/hectorgie/PoC-in-GitHub	Trust: 0.1
title:	PoC in GitHub	url:	https://github.com/0xT11/CVE-POC	Trust: 0.1

sources: CNVD: CNVD-2019-30484 // VULMON: CVE-2019-15043 // JVNDB: JVNDB-2019-008892 // CNNVD: CNNVD-201908-2274

EXTERNAL IDS

db:	NVD	id:	CVE-2019-15043	Trust: 3.2
db:	JVNDB	id:	JVNDB-2019-008892	Trust: 0.8
db:	PACKETSTORM	id:	157468	Trust: 0.7
db:	CNVD	id:	CNVD-2019-30484	Trust: 0.6
db:	AUSCERT	id:	ESB-2020.1508	Trust: 0.6
db:	AUSCERT	id:	ESB-2019.4190	Trust: 0.6
db:	AUSCERT	id:	ESB-2020.2492	Trust: 0.6
db:	AUSCERT	id:	ESB-2019.4048.2	Trust: 0.6
db:	AUSCERT	id:	ESB-2019.3854	Trust: 0.6
db:	AUSCERT	id:	ESB-2021.1298	Trust: 0.6
db:	AUSCERT	id:	ESB-2021.1135	Trust: 0.6
db:	AUSCERT	id:	ESB-2020.1727.2	Trust: 0.6
db:	CNNVD	id:	CNNVD-201908-2274	Trust: 0.6
db:	VULMON	id:	CVE-2019-15043	Trust: 0.1

sources: CNVD: CNVD-2019-30484 // VULMON: CVE-2019-15043 // JVNDB: JVNDB-2019-008892 // PACKETSTORM: 157468 // CNNVD: CNNVD-201908-2274 // NVD: CVE-2019-15043

REFERENCES

url:	https://community.grafana.com/t/grafana-5-4-5-and-6-3-4-security-update/20569	Trust: 1.7
url:	https://grafana.com/blog/2019/08/29/grafana-5.4.5-and-6.3.4-released-with-important-security-fix/	Trust: 1.7
url:	https://community.grafana.com/t/release-notes-v6-3-x/19202	Trust: 1.7
url:	https://github.com/grafana/grafana/releases	Trust: 1.7
url:	https://security.netapp.com/advisory/ntap-20191004-0004/	Trust: 1.7
url:	http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00060.html	Trust: 1.7
url:	http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00083.html	Trust: 1.7
url:	http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00009.html	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2019-15043	Trust: 1.5
url:	https://access.redhat.com/security/cve/cve-2019-15043	Trust: 1.3
url:	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/rf5argyx3wyb7h2fdr7vawteq27ux3fu/	Trust: 1.1
url:	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/uo4nbl7pkw4osfrvzengc42ewejv2yah/	Trust: 1.1
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-15043	Trust: 0.8
url:	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/uo4nbl7pkw4osfrvzengc42ewejv2yah/	Trust: 0.6
url:	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/rf5argyx3wyb7h2fdr7vawteq27ux3fu/	Trust: 0.6
url:	https://www.suse.com/support/update/announcement/2019/suse-su-20192671-1.html	Trust: 0.6
url:	https://www.suse.com/support/update/announcement/2019/suse-su-20192867-1.html	Trust: 0.6
url:	https://www.suse.com/support/update/announcement/2019/suse-su-20192906-1.html	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2019.4048.2/	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2021.1135	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2021.1298	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2019.4190/	Trust: 0.6
url:	https://vigilance.fr/vulnerability/grafana-denial-of-service-via-http-api-30211	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2020.1508/	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2020.2492/	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2019.3854/	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2020.1727.2/	Trust: 0.6
url:	https://packetstormsecurity.com/files/157468/red-hat-security-advisory-2020-1659-01.html	Trust: 0.6
url:	https://access.redhat.com/errata/rhsa-2020:1659	Trust: 0.2
url:	https://cwe.mitre.org/data/definitions/306.html	Trust: 0.1
url:	https://github.com/h0ffayyy/cve-2019-15043	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://security.archlinux.org/cve-2019-15043	Trust: 0.1
url:	https://www.redhat.com/mailman/listinfo/rhsa-announce	Trust: 0.1
url:	https://access.redhat.com/articles/11258	Trust: 0.1
url:	https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.2_release_notes/index	Trust: 0.1
url:	https://bugzilla.redhat.com/):	Trust: 0.1
url:	https://access.redhat.com/security/team/key/	Trust: 0.1
url:	https://access.redhat.com/security/updates/classification/#moderate	Trust: 0.1
url:	https://access.redhat.com/security/team/contact/	Trust: 0.1

sources: CNVD: CNVD-2019-30484 // VULMON: CVE-2019-15043 // JVNDB: JVNDB-2019-008892 // PACKETSTORM: 157468 // CNNVD: CNNVD-201908-2274 // NVD: CVE-2019-15043

CREDITS

Red Hat

Trust: 0.7

sources: PACKETSTORM: 157468 // CNNVD: CNNVD-201908-2274

SOURCES

db:	CNVD	id:	CNVD-2019-30484
db:	VULMON	id:	CVE-2019-15043
db:	JVNDB	id:	JVNDB-2019-008892
db:	PACKETSTORM	id:	157468
db:	CNNVD	id:	CNNVD-201908-2274
db:	NVD	id:	CVE-2019-15043

LAST UPDATE DATE

2024-08-14T12:47:07.905000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2019-30484	date:	2019-09-05T00:00:00
db:	VULMON	id:	CVE-2019-15043	date:	2023-11-07T00:00:00
db:	JVNDB	id:	JVNDB-2019-008892	date:	2019-09-09T00:00:00
db:	CNNVD	id:	CNNVD-201908-2274	date:	2021-04-19T00:00:00
db:	NVD	id:	CVE-2019-15043	date:	2023-11-07T03:05:24.357

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2019-30484	date:	2019-09-05T00:00:00
db:	VULMON	id:	CVE-2019-15043	date:	2019-09-03T00:00:00
db:	JVNDB	id:	JVNDB-2019-008892	date:	2019-09-09T00:00:00
db:	PACKETSTORM	id:	157468	date:	2020-04-28T20:40:11
db:	CNNVD	id:	CNNVD-201908-2274	date:	2019-08-30T00:00:00
db:	NVD	id:	CVE-2019-15043	date:	2019-09-03T12:15:10.933