CVE-2019-15635
MEDIUMGrafana 5.4.0 - Cleartext Transmission of Sensitive Information via Data Source Settings
Title source: llmDescription
An issue was discovered in Grafana 5.4.0. Passwords for data sources used by Grafana (e.g., MySQL) are not encrypted. An admin user can reveal passwords for any data source by pressing the "Save and test" button within a data source's settings menu. When watching the transaction with Burp Proxy, the password for the data source is revealed and sent to the server. From a browser, a prompt to save the credentials is generated, and the password can be revealed by simply checking the "Show password" box.
References (2)
Core 2
Core References
Third Party Advisory, VDB Entry x_refsource_misc
https://exchange.xforce.ibmcloud.com/vulnerabilities/167244
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20191009-0002/
Scores
CVSS v3
4.9
EPSS
0.0161
EPSS Percentile
72.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-319
CWE-522
Status
published
Products (1)
grafana/grafana
5.4.0
Published
Sep 23, 2019
Tracked Since
Feb 18, 2026