Today we are releasing Grafana 5.4.4 and 6.1.5. These patch releases include an important security fix for all Grafana installations between 5.4.0 and 6.1.6. Grafana installs between 6.0.0 and 6.1.4 are less vulnerable due to other security improvements. These versions are only vulnerable if the administrator has disabled default security settings.
We are also releasing 6.1.6 with some additional non-security-related fixes and improvements.
Release 6.1.5 only containing a security fix:
Latest stable release in 5.x:
Latest stable release in 6.x:
File Exfiltration vulnerability (CVE-2018-19039)
On April 22, we noticed that the patch for CVE-2018-19039 was not merged from our private mirror (where we do all high-severity security fixes and builds) to the main Grafana codebase. This means that releases after 5.3.3 do not contain the patch and are still vulnerable to CVE-2018-19039. This has not to our knowledge been detected by anyone else.
This security issue could allow any users with Editor or Admin permissions in Grafana to read any file that the Grafana process can read from the filesystem. Note that in order to exploit this, you would need to be logged in to the system as a legitimate user with Editor or Admin permissions.
Affected versions with high severity
Grafana releases 5.4.0 through 5.4.3
Affected versions with medium severity
Grafana releases 6.0.0 through 6.1.4
Solutions and mitigations
All installations between 5.4.0 and 6.1.4 that have users who should not have access to the filesystem where Grafana is running must be upgraded as soon as possible. If you cannot upgrade, you should set all users to viewers and remove all dashboards that contain text panels.
Grafana Cloud instances are not affected by this vulnerability. Grafana Enterprise customers have been provided with updated binaries ahead of this disclosure.
Timeline and postmortem
Here is a detailed timeline starting from when we originally learned of the issue.
April 22, 2019
- 15:42 CET: We discovered that previous fix was not merged to main master branch.
- 15:50 CET: We confirmed that 5.4.0 to 6.1.4 are affected.
- 15:55 CET: We confirmed that Hosted Grafana is not affected by this vulnerability.
April 23, 2019
- 09:30 CET: We assigned Leonard Gram (@xlson) to be responsible for the patch release and Carl Bergquist (@bergquist) to assist when needed.
- 10:40 CET: A release plan was established.
- 11:40 CET: We patched the issue and built new versions from our private mirror.
- 17:40 CET: We proactively provided Grafana Enterprise customers and partners with details and links to patched versions.
April 29, 2019
- 13:00 CET: We released 5.4.4 and 6.1.
- 13:00 CET: We published this blog post.
Reporting security Issues
If you think you have found a security vulnerability please send a report to firstname.lastname@example.org. This address can be used for all of Grafana Labs’s open source and commercial products (including but not limited to Grafana, Grafana Cloud, Grafana Enterprise, and grafana.com). We can accept only vulnerability reports at this address. We would prefer that you encrypt your message to us; please use our PGP key. The key fingerprint is:
F988 7BEA 027A 049F AE8E 5CAA D125 8932 BE24 C5CA
We maintain a category on the community site named Security Announcements, where we will post a summary, remediation, and mitigation details for any patch containing security fixes. You can also subscribe to email updates to this category if you have a grafana.com account and sign on to the community site or track updates via an RSS feed.
If you run a Grafana instance between version 5.4.0 and 6.1.4 with users that should not have access to the filesystem where Grafana is running, please upgrade to Grafana 5.4.4 or 6.1.5 as soon as possible.