CVE-2019-15043

HIGH NUCLEI

Grafana 2.x-6.x < 6.3.4 - Unauthenticated Denial of Service via HTTP API

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-15043. PoCs published by h0ffayyy. A Nuclei detection template is also available.

AI-analyzed exploit summary The repository contains a Python script that checks if a Grafana server is vulnerable to CVE-2019-15043 by verifying the version number and testing if the snapshot API allows unauthenticated requests. It does not exploit the vulnerability but scans for its presence.

Description

In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run a denial of service attack against the server running Grafana.

Exploits (1)

nomisec SCANNER 8 stars

by h0ffayyy · poc

https://github.com/h0ffayyy/CVE-2019-15043

View Code ZIP pw:eip

The repository contains a Python script that checks if a Grafana server is vulnerable to CVE-2019-15043 by verifying the version number and testing if the snapshot API allows unauthenticated requests. It does not exploit the vulnerability but scans for its presence.

Classification

Scanner 100%

Attack Type

Dos

Complexity

Trivial

Reliability

Reliable

Target: Grafana versions before 5.4.5 and 6.3.4

No auth needed

Prerequisites: Network access to the target Grafana instance

MITRE ATT&CK

T1499 - Endpoint Denial of Service

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Nuclei Templates (1)

Grafana - Improper Access Control

HIGHVERIFIEDby Joshua Rogers

Shodan: title:"Grafana" || cpe:"cpe:2.3:a:grafana:grafana" || http.title:"grafana"

FOFA: title="grafana" || app="grafana"

References (10)

Core 10

Core References

Release Notes x_refsource_misc

https://community.grafana.com/t/release-notes-v6-3-x/19202

Release Notes x_refsource_misc

https://github.com/grafana/grafana/releases

Vendor Advisory x_refsource_confirm

https://community.grafana.com/t/grafana-5-4-5-and-6-3-4-security-update/20569

Release Notes, Vendor Advisory x_refsource_confirm

https://grafana.com/blog/2019/08/29/grafana-5.4.5-and-6.3.4-released-with-important-security-fix/

Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RF5ARGYX3WYB7H2FDR7VAWTEQ27UX3FU/

Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UO4NBL7PKW4OSFRVZENGC42EWEJV2YAH/

Mailing List vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00060.html

Mailing List vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00083.html

Mailing List vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00009.html

Vendor Advisory x_refsource_confirm

https://security.netapp.com/advisory/ntap-20191004-0004/

Scores

CVSS v3 7.5

EPSS 0.6339

EPSS Percentile 99.1%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE

CWE-306

Status published

Products (1)

grafana/grafana 2.0.0 - 5.4.5

Published Sep 03, 2019

Tracked Since Feb 18, 2026