Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2020-12459: [Bug] Wrong permissions in grafana package for grafana.db · Issue #8283 · grafana/grafana

In certain Red Hat packages for Grafana 6.x through 6.3.6, the configuration files /etc/grafana/grafana.ini and /etc/grafana/ldap.toml (which contain a secret_key and a bind_password) are world readable.

CVE
#sql#red_hat#apache#ldap

It looks like in #2126 there were plans to lock down the sqlite DB to 0600. While grafana.ini did get locked down, the DB did not. Unless this is no longer believed to be necessary I could try to send a PR.

[vagrant@monitoring ~]$ less /etc/grafana/grafana.ini 
/etc/grafana/grafana.ini: Permission denied
[vagrant@monitoring ~]$ sqlite3 /var/lib/grafana/grafana.db 
SQLite version 3.7.17 2013-05-20 00:56:22
Enter ".help" for instructions
Enter SQL statements terminated with a ";"
sqlite> select salt, password from user;
SALT|PW
[vagrant@noc-monitoring ~]$ sudo yum info grafana
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: centos.chi.host-engine.com
 * extras: mirror.sigmanet.com
 * updates: mirror.sigmanet.com
Installed Packages
Name        : grafana
Arch        : x86_64
Version     : 4.2.0
Release     : 1
Size        : 128 M
Repo        : installed
From repo   : grafana
Summary     : Grafana
URL         : https://grafana.com
License     : "Apache 2.0"
Description : Grafana

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907