Vulnerability Details : CVE-2019-15635
An issue was discovered in Grafana 5.4.0. Passwords for data sources used by Grafana (e.g., MySQL) are not encrypted. An admin user can reveal passwords for any data source by pressing the "Save and test" button within a data source's settings menu. When watching the transaction with Burp Proxy, the password for the data source is revealed and sent to the server. From a browser, a prompt to save the credentials is generated, and the password can be revealed by simply checking the "Show password" box.
Exploit prediction scoring system (EPSS) score for CVE-2019-15635
Probability of exploitation activity in the next 30 days: 0.09%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 35 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2019-15635
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
4.0
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:N/A:N |
8.0
|
2.9
|
NIST |
4.9
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N |
1.2
|
3.6
|
NIST |
CWE ids for CVE-2019-15635
-
The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.Assigned by: nvd@nist.gov (Primary)
-
The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-15635
-
https://security.netapp.com/advisory/ntap-20191009-0002/
CVE-2019-15635 Grafana Vulnerability in NetApp Products | NetApp Product SecurityThird Party Advisory
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/167244
Grafana information disclosure CVE-2019-15635 Vulnerability ReportThird Party Advisory;VDB Entry
Products affected by CVE-2019-15635
- cpe:2.3:a:grafana:grafana:5.4.0:-:*:*:*:*:*:*