[manjaro-security] [ASA-201811-15] grafana: arbitrary filesystem access
Jelle van der Waa
jelle at archlinux.org
Mon Nov 19 14:09:03 CET 2018
Arch Linux Security Advisory ASA-201811-15
Date : 2018-11-15
CVE-ID : CVE-2018-19039
Package : grafana
Type : arbitrary filesystem access
Remote : Yes
Link : https://security.archlinux.org/AVG-811
The package grafana before version 5.3.4-1 is vulnerable to arbitrary
Upgrade to 5.3.4-1.
# pacman -Syu "grafana>=5.3.4-1"
The problem has been fixed upstream in version 5.3.4.
Al security issue has been found in grafana before 5.3.3, that could
allow any users with Editor or Admin permissions in Grafana to read any
file that the Grafana process can read from the filesystem. Note, that
in order to exploit this you would need to be logged in to the system
as a legitimate user with Editor or Admin permissions.
A remote, authenticated attacker is able to read any file that is
accessible to the Grafana process.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 488 bytes
Desc: not available
More information about the manjaro-security