CVE-2019-15635
low-risk
Published 2019-09-23
An issue was discovered in Grafana 5.4.0. Passwords for data sources used by Grafana (e.g., MySQL) are not encrypted. An admin user can reveal passwords for any data source by pressing the "Save and test" button within a data source's settings menu. When watching the transaction with Burp Proxy, the password for the data source is revealed and sent to the server. From a browser, a prompt to save the credentials is generated, and the password can be revealed by simply checking the "Show password" box.
Do I need to act?
-
0.12% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
4
CVSS 4.9/10
Medium
NETWORK
/ LOW complexity
Affected Products (1)
Affected Vendors
References (4)
Third Party Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/167244
Third Party Advisory
https://security.netapp.com/advisory/ntap-20191009-0002/
Third Party Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/167244
Third Party Advisory
https://security.netapp.com/advisory/ntap-20191009-0002/
26
/ 100
low-risk
Severity
20/34 · Moderate
Exploitability
1/34 · Minimal
Exposure
5/34 · Minimal