Page MenuHomeMiraheze

Grafana bug CVE-2019-15043 can still be exploited despite being out of vulnerable range
Closed, ResolvedPublic

Description

Event Timeline

RhinosF1 raised the priority of this task from High to Unbreak Now!.Sun, Feb 14, 12:25
southparkfan@test3:~$ python3 cve.py --url 'https://grafana.miraheze.org'
[-] Testing https://grafana.miraheze.org...
[-] Status: 200
[-] Checking for version...
[-] Grafana version appears to be: 7.4.1
[!] Version seems to indicate it's probably not vulnerable.
[-] Checking if snapshot api requires authentiation...
[+] Snapshot endpoint doesn't seem to require authentication! Host may be vulnerable.
Southparkfan lowered the priority of this task from Unbreak Now! to High.EditedSun, Feb 14, 12:54
  • The API endpoint is open
  • Our Grafana version is on a patched version
  • Only impact on A, not C/I, Grafana is not critical
    • However, taking into account that Grafana resides on a system where critical systems (Icinga) are hosted..

Sent email back to researcher on SPF's request

Wikimedia has been contacted. Waiting on more information from the researcher.

Paladox claimed this task.
Paladox added a subscriber: Paladox.

We've sent off an email to grafana and we've blocked the url. We are running a version that is supposedly should be patched but I can still reproduce it.

RhinosF1 renamed this task from Upgrade Grafana due to cve-2019-15043 to Grafana bug CVE-2019-15043 can still be exploited despite being out of vulnerable range.Sun, Feb 14, 17:00
RhinosF1 lowered the priority of this task from High to Normal.

Proper fix is available with https://github.com/grafana/grafana/pull/31263

Opening to track deployment of it.

WMF have still kept the stop gap and it's an extra layer so worth keeping as well still.

And updated with Grafana v7.4.2 (29e75ad97b)

Will make public once WMF confirm they have no objections too as they've been involved in a lot.

RhinosF1 changed the visibility from "Custom Policy" to "Public (No Login Required)".Thu, Feb 18, 16:23
RhinosF1 changed the edit policy from "Custom Policy" to "All Users".