ID

VAR-201909-0885


CVE

CVE-2019-15043


TITLE

Grafana Access Control Error Vulnerability

Trust: 1.2

sources: CNVD: CNVD-2019-30484 // CNNVD: CNNVD-201908-2274

DESCRIPTION

In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run a denial of service attack against the server running Grafana. Grafana Contains an access control vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Grafana is a set of open source monitoring tools that provide a visual monitoring interface at Grafana Labs. This tool is mainly used to monitor and analyze Graphite, InfluxDB and Prometheus. An access control error vulnerability exists in Grafana that could be exploited by an attacker to cause a denial of service. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: grafana security, bug fix, and enhancement update Advisory ID: RHSA-2020:1659-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:1659 Issue date: 2020-04-28 CVE Names: CVE-2019-15043 ==================================================================== 1. Summary: An update for grafana is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64 3. Description: Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB. The following packages have been upgraded to a later upstream version: grafana (6.3.6). (BZ#1725278) Security Fix(es): * grafana: incorrect access control in snapshot HTTP API leads to denial of service (CVE-2019-15043) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.2 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Package List: Red Hat Enterprise Linux AppStream (v. 8): Source: grafana-6.3.6-1.el8.src.rpm aarch64: grafana-6.3.6-1.el8.aarch64.rpm grafana-azure-monitor-6.3.6-1.el8.aarch64.rpm grafana-cloudwatch-6.3.6-1.el8.aarch64.rpm grafana-debuginfo-6.3.6-1.el8.aarch64.rpm grafana-elasticsearch-6.3.6-1.el8.aarch64.rpm grafana-graphite-6.3.6-1.el8.aarch64.rpm grafana-influxdb-6.3.6-1.el8.aarch64.rpm grafana-loki-6.3.6-1.el8.aarch64.rpm grafana-mssql-6.3.6-1.el8.aarch64.rpm grafana-mysql-6.3.6-1.el8.aarch64.rpm grafana-opentsdb-6.3.6-1.el8.aarch64.rpm grafana-postgres-6.3.6-1.el8.aarch64.rpm grafana-prometheus-6.3.6-1.el8.aarch64.rpm grafana-stackdriver-6.3.6-1.el8.aarch64.rpm ppc64le: grafana-6.3.6-1.el8.ppc64le.rpm grafana-azure-monitor-6.3.6-1.el8.ppc64le.rpm grafana-cloudwatch-6.3.6-1.el8.ppc64le.rpm grafana-debuginfo-6.3.6-1.el8.ppc64le.rpm grafana-elasticsearch-6.3.6-1.el8.ppc64le.rpm grafana-graphite-6.3.6-1.el8.ppc64le.rpm grafana-influxdb-6.3.6-1.el8.ppc64le.rpm grafana-loki-6.3.6-1.el8.ppc64le.rpm grafana-mssql-6.3.6-1.el8.ppc64le.rpm grafana-mysql-6.3.6-1.el8.ppc64le.rpm grafana-opentsdb-6.3.6-1.el8.ppc64le.rpm grafana-postgres-6.3.6-1.el8.ppc64le.rpm grafana-prometheus-6.3.6-1.el8.ppc64le.rpm grafana-stackdriver-6.3.6-1.el8.ppc64le.rpm s390x: grafana-6.3.6-1.el8.s390x.rpm grafana-azure-monitor-6.3.6-1.el8.s390x.rpm grafana-cloudwatch-6.3.6-1.el8.s390x.rpm grafana-debuginfo-6.3.6-1.el8.s390x.rpm grafana-elasticsearch-6.3.6-1.el8.s390x.rpm grafana-graphite-6.3.6-1.el8.s390x.rpm grafana-influxdb-6.3.6-1.el8.s390x.rpm grafana-loki-6.3.6-1.el8.s390x.rpm grafana-mssql-6.3.6-1.el8.s390x.rpm grafana-mysql-6.3.6-1.el8.s390x.rpm grafana-opentsdb-6.3.6-1.el8.s390x.rpm grafana-postgres-6.3.6-1.el8.s390x.rpm grafana-prometheus-6.3.6-1.el8.s390x.rpm grafana-stackdriver-6.3.6-1.el8.s390x.rpm x86_64: grafana-6.3.6-1.el8.x86_64.rpm grafana-azure-monitor-6.3.6-1.el8.x86_64.rpm grafana-cloudwatch-6.3.6-1.el8.x86_64.rpm grafana-debuginfo-6.3.6-1.el8.x86_64.rpm grafana-elasticsearch-6.3.6-1.el8.x86_64.rpm grafana-graphite-6.3.6-1.el8.x86_64.rpm grafana-influxdb-6.3.6-1.el8.x86_64.rpm grafana-loki-6.3.6-1.el8.x86_64.rpm grafana-mssql-6.3.6-1.el8.x86_64.rpm grafana-mysql-6.3.6-1.el8.x86_64.rpm grafana-opentsdb-6.3.6-1.el8.x86_64.rpm grafana-postgres-6.3.6-1.el8.x86_64.rpm grafana-prometheus-6.3.6-1.el8.x86_64.rpm grafana-stackdriver-6.3.6-1.el8.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2019-15043 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.2_release_notes/index 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXqhVtdzjgjWX9erEAQjjzQ//UMQ+3TmzrSdgb9VpHE0EhP2PMJi7A9oo aieBhGN/4wPHmCoH2XHNSQPLkrmJf49ZkIPYzPcoZjs/DQ/oy7J/dT/nVNsW9Aul /JSVeWjlgNqFn4gZFe5LCtgqzt48FL/hSt1NgPqmpZWmyx1JXThTOed3PcbptmLO FgIj3Lhs7kcZk/LTvXNC4L3UyhUn5PJK+mXzAtNWTvW0Ca2cWGRVCtbssI/m87IL AR84wXaVj8xW054DLlojDfigUFXTlJr4PFM6tfFJwxUzgev8Xb6Sg09PM48FEd2L B7f1W9xb/27cqj0BDapp3vj8+ViKDOIDGeDZxlxdFMkQaK1mHNWOuNiIZCiGBDVd ++OX/wjjxbnfUiRd/ounQLZadta4D9c6qs+xORwHaPVy6hAOeV9UELDY+nmXo3tO GDGPAmLyJqdYZR/4PO1O0Gp7/dOyL+51J57QpD/7coGrwAikkm9hF2bI1WabRe01 nx/DEFdjOtmHXPR7g41BroCr81bom+J7SCru9MotBCVUm5HbW42mhPxixkb70Tlu +yUfSLZFO5Ve8VTF+/eMx817pwLQP/a6lkbJzVwwCYMIsgaaEgKXPj5BLM5P7hKk HyvYc7bWku+csEfM2Cf0qHFIYYxgBqZIp14UU70MZ0J6HQIMWCHXJqngUAzkvqR4 k/AjDHhUTII=yev2 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce

Trust: 2.34

sources: NVD: CVE-2019-15043 // JVNDB: JVNDB-2019-008892 // CNVD: CNVD-2019-30484 // VULMON: CVE-2019-15043 // PACKETSTORM: 157468

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2019-30484

AFFECTED PRODUCTS

vendor:grafanamodel:grafanascope:ltversion:5.4.5

Trust: 1.0

vendor:grafanamodel:grafanascope:gteversion:6.0.0

Trust: 1.0

vendor:grafanamodel:grafanascope:gteversion:2.0.0

Trust: 1.0

vendor:grafanamodel:grafanascope:ltversion:6.3.4

Trust: 1.0

vendor:grafanamodel:grafanascope:eqversion:6.3.4

Trust: 0.8

vendor:grafanamodel:grafanascope:ltversion:6.x for up to 2.x

Trust: 0.8

vendor:grafanamodel:grafanascope:gteversion:2.*,<=6.*

Trust: 0.6

sources: CNVD: CNVD-2019-30484 // JVNDB: JVNDB-2019-008892 // NVD: CVE-2019-15043

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-15043
value: HIGH

Trust: 1.0

NVD: CVE-2019-15043
value: HIGH

Trust: 0.8

CNVD: CNVD-2019-30484
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201908-2274
value: HIGH

Trust: 0.6

VULMON: CVE-2019-15043
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2019-15043
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

CNVD: CNVD-2019-30484
severity: HIGH
baseScore: 7.8
vectorString: AV:N/AC:L/AU:N/C:N/I:N/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2019-15043
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.0

Trust: 1.8

sources: CNVD: CNVD-2019-30484 // VULMON: CVE-2019-15043 // JVNDB: JVNDB-2019-008892 // CNNVD: CNNVD-201908-2274 // NVD: CVE-2019-15043

PROBLEMTYPE DATA

problemtype:CWE-306

Trust: 1.0

problemtype:CWE-284

Trust: 0.8

sources: JVNDB: JVNDB-2019-008892 // NVD: CVE-2019-15043

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201908-2274

TYPE

access control error

Trust: 0.6

sources: CNNVD: CNNVD-201908-2274

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-008892

PATCH

title:Releasesurl:https://github.com/grafana/grafana/releases

Trust: 0.8

title:Grafana 5.4.5 and 6.3.4 Security Updateurl:https://community.grafana.com/t/grafana-5-4-5-and-6-3-4-security-update/20569

Trust: 0.8

title:Release Notes v6.3.xurl:https://community.grafana.com/t/release-notes-v6-3-x/19202

Trust: 0.8

title:1Grafana 5.4.5 and 6.3.4 Released with Important Security Fixurl:https://grafana.com/blog/2019/08/29/grafana-5.4.5-and-6.3.4-released-with-important-security-fix/

Trust: 0.8

title:Patch for Grafana Access Control Error Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/179003

Trust: 0.6

title:Grafana Fixes for access control error vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=97782

Trust: 0.6

title:Red Hat: Moderate: grafana security, bug fix, and enhancement updateurl:https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20201659 - Security Advisory

Trust: 0.1

title:Arch Linux Issues: url:https://vulmon.com/vendoradvisory?qidtp=arch_linux_issues&qid=CVE-2019-15043

Trust: 0.1

title:CVE-2019-15043 POCurl:https://github.com/h0ffayyy/CVE-2019-15043

Trust: 0.1

title:CVE-POCurl:https://github.com/n1sh1th/CVE-POC

Trust: 0.1

title:F5の脆弱性情報url:https://github.com/DNTYO/F5_Vulnerability

Trust: 0.1

title:Nuclei Templates Resourcesurl:https://github.com/merlinepedra25/nuclei-templates

Trust: 0.1

title:Nuclei Templates Resourcesurl:https://github.com/merlinepedra/nuclei-templates

Trust: 0.1

title:Kenzer Templates [1289]url:https://github.com/Elsfa7-110/kenzer-templates

Trust: 0.1

title:PoC in GitHuburl:https://github.com/developer3000S/PoC-in-GitHub

Trust: 0.1

title:PoC in GitHuburl:https://github.com/hectorgie/PoC-in-GitHub

Trust: 0.1

title:PoC in GitHuburl:https://github.com/0xT11/CVE-POC

Trust: 0.1

sources: CNVD: CNVD-2019-30484 // VULMON: CVE-2019-15043 // JVNDB: JVNDB-2019-008892 // CNNVD: CNNVD-201908-2274

EXTERNAL IDS

db:NVDid:CVE-2019-15043

Trust: 3.2

db:JVNDBid:JVNDB-2019-008892

Trust: 0.8

db:PACKETSTORMid:157468

Trust: 0.7

db:CNVDid:CNVD-2019-30484

Trust: 0.6

db:AUSCERTid:ESB-2020.1508

Trust: 0.6

db:AUSCERTid:ESB-2019.4190

Trust: 0.6

db:AUSCERTid:ESB-2020.2492

Trust: 0.6

db:AUSCERTid:ESB-2019.4048.2

Trust: 0.6

db:AUSCERTid:ESB-2019.3854

Trust: 0.6

db:AUSCERTid:ESB-2021.1298

Trust: 0.6

db:AUSCERTid:ESB-2021.1135

Trust: 0.6

db:AUSCERTid:ESB-2020.1727.2

Trust: 0.6

db:CNNVDid:CNNVD-201908-2274

Trust: 0.6

db:VULMONid:CVE-2019-15043

Trust: 0.1

sources: CNVD: CNVD-2019-30484 // VULMON: CVE-2019-15043 // JVNDB: JVNDB-2019-008892 // PACKETSTORM: 157468 // CNNVD: CNNVD-201908-2274 // NVD: CVE-2019-15043

REFERENCES

url:https://community.grafana.com/t/grafana-5-4-5-and-6-3-4-security-update/20569

Trust: 1.7

url:https://grafana.com/blog/2019/08/29/grafana-5.4.5-and-6.3.4-released-with-important-security-fix/

Trust: 1.7

url:https://community.grafana.com/t/release-notes-v6-3-x/19202

Trust: 1.7

url:https://github.com/grafana/grafana/releases

Trust: 1.7

url:https://security.netapp.com/advisory/ntap-20191004-0004/

Trust: 1.7

url:http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00060.html

Trust: 1.7

url:http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00083.html

Trust: 1.7

url:http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00009.html

Trust: 1.7

url:https://nvd.nist.gov/vuln/detail/cve-2019-15043

Trust: 1.5

url:https://access.redhat.com/security/cve/cve-2019-15043

Trust: 1.3

url:https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/rf5argyx3wyb7h2fdr7vawteq27ux3fu/

Trust: 1.1

url:https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/uo4nbl7pkw4osfrvzengc42ewejv2yah/

Trust: 1.1

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-15043

Trust: 0.8

url:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/uo4nbl7pkw4osfrvzengc42ewejv2yah/

Trust: 0.6

url:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/rf5argyx3wyb7h2fdr7vawteq27ux3fu/

Trust: 0.6

url:https://www.suse.com/support/update/announcement/2019/suse-su-20192671-1.html

Trust: 0.6

url:https://www.suse.com/support/update/announcement/2019/suse-su-20192867-1.html

Trust: 0.6

url:https://www.suse.com/support/update/announcement/2019/suse-su-20192906-1.html

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2019.4048.2/

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2021.1135

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2021.1298

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2019.4190/

Trust: 0.6

url:https://vigilance.fr/vulnerability/grafana-denial-of-service-via-http-api-30211

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2020.1508/

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2020.2492/

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2019.3854/

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2020.1727.2/

Trust: 0.6

url:https://packetstormsecurity.com/files/157468/red-hat-security-advisory-2020-1659-01.html

Trust: 0.6

url:https://access.redhat.com/errata/rhsa-2020:1659

Trust: 0.2

url:https://cwe.mitre.org/data/definitions/306.html

Trust: 0.1

url:https://github.com/h0ffayyy/cve-2019-15043

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://security.archlinux.org/cve-2019-15043

Trust: 0.1

url:https://www.redhat.com/mailman/listinfo/rhsa-announce

Trust: 0.1

url:https://access.redhat.com/articles/11258

Trust: 0.1

url:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.2_release_notes/index

Trust: 0.1

url:https://bugzilla.redhat.com/):

Trust: 0.1

url:https://access.redhat.com/security/team/key/

Trust: 0.1

url:https://access.redhat.com/security/updates/classification/#moderate

Trust: 0.1

url:https://access.redhat.com/security/team/contact/

Trust: 0.1

sources: CNVD: CNVD-2019-30484 // VULMON: CVE-2019-15043 // JVNDB: JVNDB-2019-008892 // PACKETSTORM: 157468 // CNNVD: CNNVD-201908-2274 // NVD: CVE-2019-15043

CREDITS

Red Hat

Trust: 0.7

sources: PACKETSTORM: 157468 // CNNVD: CNNVD-201908-2274

SOURCES

db:CNVDid:CNVD-2019-30484
db:VULMONid:CVE-2019-15043
db:JVNDBid:JVNDB-2019-008892
db:PACKETSTORMid:157468
db:CNNVDid:CNNVD-201908-2274
db:NVDid:CVE-2019-15043

LAST UPDATE DATE

2024-08-14T12:47:07.905000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2019-30484date:2019-09-05T00:00:00
db:VULMONid:CVE-2019-15043date:2023-11-07T00:00:00
db:JVNDBid:JVNDB-2019-008892date:2019-09-09T00:00:00
db:CNNVDid:CNNVD-201908-2274date:2021-04-19T00:00:00
db:NVDid:CVE-2019-15043date:2023-11-07T03:05:24.357

SOURCES RELEASE DATE

db:CNVDid:CNVD-2019-30484date:2019-09-05T00:00:00
db:VULMONid:CVE-2019-15043date:2019-09-03T00:00:00
db:JVNDBid:JVNDB-2019-008892date:2019-09-09T00:00:00
db:PACKETSTORMid:157468date:2020-04-28T20:40:11
db:CNNVDid:CNNVD-201908-2274date:2019-08-30T00:00:00
db:NVDid:CVE-2019-15043date:2019-09-03T12:15:10.933