CVE-2019-19499

Aliases:GHSA-4pwp-cx67-5cpxGO-2024-2661

Advisory lineage Upstream: 0 Downstream: 3

Downstream

RHSA-2020:4682 SUSE-SU-2021:1233-1 UBUNTU-CVE-2019-19499

Modified

Published: 28 Aug 2020, 14:49

Last modified:05 Aug 2024, 02:16

Vulnerability Summary

Overall Risk (default)

medium

45/100

CVSS Score

6.5 MEDIUM

v3.1 (nvd)

EPSS Score

43.86% HIGH

44% probability 0.00%

KEV

Not listed

Ransomware

No reports

Public exploits

1 found

Dark Web

Not detected

Timeline

28 Aug 2020, 14:49

Published

Vulnerability first disclosed

05 Aug 2024, 02:16

Last Modified

Vulnerability information updated

Description

Grafana <= 6.4.3 has an Arbitrary File Read vulnerability, which could be exploited by an authenticated attacker that has privileges to modify the data source configurations.

CVSS Metrics

v4.0•HIGH•Score: 7.1CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
v3.1•MEDIUM•Score: 6.5CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
v3.1•MEDIUM•Score: 6.5CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P
v2.0•MEDIUM•Score: 4AV:N/AC:L/Au:S/C:P/I:N/A:N

EPSS Trends

Current EPSS score: 43.86%• Percentile: 98%

Techniques & Countermeasures

CWE-89•Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Affected Systems

github.com/grafana•grafana
< 6.4.4 | all
grafana•grafana
≤ 6.4.3