Arch Linux Security Advisory ASA-201811-15
==========================================

Severity: High
Date    : 2018-11-15
CVE-ID  : CVE-2018-19039
Package : grafana
Type    : arbitrary filesystem access
Remote  : Yes
Link    : https://security.archlinux.org/AVG-811

Summary
=======

The package grafana before version 5.3.4-1 is vulnerable to arbitrary
filesystem access.

Resolution
==========

Upgrade to 5.3.4-1.

# pacman -Syu "grafana>=5.3.4-1"

The problem has been fixed upstream in version 5.3.4.

Workaround
==========

None.

Description
===========

Al security issue has been found in grafana before 5.3.3, that could
allow any users with Editor or Admin permissions in Grafana to read any
file that the Grafana process can read from the filesystem. Note, that
in order to exploit this you would need to be logged in to the system
as a legitimate user with Editor or Admin permissions.

Impact
======

A remote, authenticated attacker is able to read any file that is
accessible to the Grafana process.

References
==========

https://grafana.com/blog/2018/11/13/grafana-5.3.3-and-4.6.5-released-with-important-security-fix/
https://security.archlinux.org/CVE-2018-19039