An issue was discovered in Grafana 5.4.0. Passwords for data sources used by Grafana (e.g., MySQL) are not encrypted. An admin user can reveal passwords for any data source by pressing the "Save and test" button within a data source's settings menu. When watching the transaction with Burp Proxy, the password for the data source is revealed and sent to the server. From a browser, a prompt to save the credentials is generated, and the password can be revealed by simply checking the "Show password" box.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2019-09-23T16:37:08

Updated: 2024-08-05T00:56:22.105Z

Reserved: 2019-08-26T00:00:00

Link: CVE-2019-15635

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2019-09-23T17:15:11.173

Modified: 2024-11-21T04:29:10.110

Link: CVE-2019-15635

cve-icon Redhat

Severity : Moderate

Publid Date: 2019-09-20T00:00:00Z

Links: CVE-2019-15635 - Bugzilla