CVE-2020-12458: Incorrect Permission Assignment for Critical Resource
(updated )
An information-disclosure flaw was found in Grafana through 6.7.3. The database directory /var/lib/grafana and database file /var/lib/grafana/grafana.db are world readable. This can result in exposure of sensitive information (e.g., cleartext or encrypted datasource passwords).
References
- access.redhat.com/security/cve/CVE-2020-12458
- bugzilla.redhat.com/show_bug.cgi?id=1827765
- github.com/advisories/GHSA-3jq7-8ph8-63xm
- github.com/grafana/grafana/commit/102448040d5132460e3b0013e03ebedec0677e00
- github.com/grafana/grafana/issues/8283
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CTQCKJZZYXMCSHJFZZ3YXEO5NUBANGZS/
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WEBCIEVSYIDDCA7FTRS2IFUOYLIQU34A/
- nvd.nist.gov/vuln/detail/CVE-2020-12458
- security.netapp.com/advisory/ntap-20200518-0001/
Detect and mitigate CVE-2020-12458 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →