Headline
CVE-2020-12459: [Bug] Wrong permissions in grafana package for grafana.db · Issue #8283 · grafana/grafana
In certain Red Hat packages for Grafana 6.x through 6.3.6, the configuration files /etc/grafana/grafana.ini and /etc/grafana/ldap.toml (which contain a secret_key and a bind_password) are world readable.
It looks like in #2126 there were plans to lock down the sqlite DB to 0600. While grafana.ini did get locked down, the DB did not. Unless this is no longer believed to be necessary I could try to send a PR.
[vagrant@monitoring ~]$ less /etc/grafana/grafana.ini
/etc/grafana/grafana.ini: Permission denied
[vagrant@monitoring ~]$ sqlite3 /var/lib/grafana/grafana.db
SQLite version 3.7.17 2013-05-20 00:56:22
Enter ".help" for instructions
Enter SQL statements terminated with a ";"
sqlite> select salt, password from user;
SALT|PW
[vagrant@noc-monitoring ~]$ sudo yum info grafana
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: centos.chi.host-engine.com
* extras: mirror.sigmanet.com
* updates: mirror.sigmanet.com
Installed Packages
Name : grafana
Arch : x86_64
Version : 4.2.0
Release : 1
Size : 128 M
Repo : installed
From repo : grafana
Summary : Grafana
URL : https://grafana.com
License : "Apache 2.0"
Description : Grafana