CVE-2020-12458: Grafana information disclosure
(updated )
An information-disclosure flaw was found in Grafana. The database directory /var/lib/grafana
and database file /var/lib/grafana/grafana.db
are world readable. This can result in exposure of sensitive information (e.g., cleartext or encrypted datasource passwords).
References
- access.redhat.com/security/cve/CVE-2020-12458
- bugzilla.redhat.com/show_bug.cgi?id=1827765
- github.com/advisories/GHSA-3jq7-8ph8-63xm
- github.com/grafana/grafana
- github.com/grafana/grafana/commit/102448040d5132460e3b0013e03ebedec0677e00
- github.com/grafana/grafana/issues/8283
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CTQCKJZZYXMCSHJFZZ3YXEO5NUBANGZS
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WEBCIEVSYIDDCA7FTRS2IFUOYLIQU34A
- nvd.nist.gov/vuln/detail/CVE-2020-12458
- security.netapp.com/advisory/ntap-20200518-0001
Detect and mitigate CVE-2020-12458 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →