CVE-2020-12459: Incorrect Permission Assignment for Critical Resource
(updated )
In certain Red Hat packages for Grafana 6.x through 6.3.6, the configuration files /etc/grafana/grafana.ini and /etc/grafana/ldap.toml (which contain a secret_key and a bind_password) are world readable.
References
- access.redhat.com/security/cve/CVE-2020-12459
- bugzilla.redhat.com/show_bug.cgi?id=1827765
- bugzilla.redhat.com/show_bug.cgi?id=1829724
- github.com/advisories/GHSA-m25m-5778-fm22
- github.com/grafana/grafana/commit/102448040d5132460e3b0013e03ebedec0677e00
- github.com/grafana/grafana/issues/8283
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CTQCKJZZYXMCSHJFZZ3YXEO5NUBANGZS/
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WEBCIEVSYIDDCA7FTRS2IFUOYLIQU34A/
- nvd.nist.gov/vuln/detail/CVE-2020-12459
- security.netapp.com/advisory/ntap-20200518-0004/
- src.fedoraproject.org/rpms/grafana/c/fab93d67363eb0a9678d9faf160cc88237f26277
Detect and mitigate CVE-2020-12459 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →