CVE-2019-15635

Published: Sep 23, 2019Modified: Nov 21, 2024

4.9

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Exploitability: 1.2 / Impact: 3.6

Source: NVD

Description

An issue was discovered in Grafana 5.4.0. Passwords for data sources used by Grafana (e.g., MySQL) are not encrypted. An admin user can reveal passwords for any data source by pressing the "Save and test" button within a data source's settings menu. When watching the transaction with Burp Proxy, the password for the data source is revealed and sent to the server. From a browser, a prompt to save the credentials is generated, and the password can be revealed by simply checking the "Show password" box.

Affected (1)

Products: Grafana: Grafana

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Grafana Grafana	Version 5.4.0

Related CWEs

Cleartext Transmission of Sensitive Information

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

Insufficiently Protected Credentials

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

References (4)

https://exchange.xforce.ibmcloud.com/vulnerabilities/167244

Source: cve@mitre.org

Third Party AdvisoryVDB Entry

https://security.netapp.com/advisory/ntap-20191009-0002/

Source: cve@mitre.org

Third Party Advisory

https://exchange.xforce.ibmcloud.com/vulnerabilities/167244

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryVDB Entry

https://security.netapp.com/advisory/ntap-20191009-0002/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.