CVE-2019-15635

EPSS 0.28%
Veröffentlicht 23.09.2019 17:15:11
Zuletzt bearbeitet 21.11.2024 04:29:10
Quelle cve@mitre.org
Teams Watchlist Login
Unerledigt Login

An issue was discovered in Grafana 5.4.0. Passwords for data sources used by Grafana (e.g., MySQL) are not encrypted. An admin user can reveal passwords for any data source by pressing the "Save and test" button within a data source's settings menu. When watching the transaction with Burp Proxy, the password for the data source is revealed and sent to the server. From a browser, a prompt to save the credentials is generated, and the password can be revealed by simply checking the "Show password" box.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Grafana ≫ Grafana Version5.4.0 Update-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.28%	0.508

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	4.9	1.2	3.6	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov	4	8	2.9	AV:N/AC:L/Au:S/C:P/I:N/A:N

CWE-319 Cleartext Transmission of Sensitive Information

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

CWE-522 Insufficiently Protected Credentials

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

https://exchange.xforce.ibmcloud.com/vulnerabilities/167244

Third Party Advisory

VDB Entry

https://security.netapp.com/advisory/ntap-20191009-0002/

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2019-15635

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2019-15635

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2019-15635

EUVD