{"id":"CVE-2018-19039","details":"Grafana before 4.6.5 and 5.x before 5.3.3 allows remote authenticated users to read arbitrary files by leveraging Editor or Admin permissions.","modified":"2026-05-18T05:50:27.366391281Z","published":"2018-12-13T19:29:00.403Z","related":["SUSE-OU-2019:2022-1","SUSE-OU-2019:2023-1","SUSE-SU-2019:2046-1","SUSE-SU-2019:2671-1","SUSE-SU-2019:2867-1","SUSE-SU-2020:1273-1","SUSE-SU-2021:1962-1","openSUSE-SU-2020:1611-1","openSUSE-SU-2024:10818-1"],"database_specific":{"unresolved_ranges":[{"source":"CPE_FIELD","cpes":["cpe:2.3:a:redhat:ceph_storage:3.0:*:*:*:*:*:*:*"],"vendor_product":"redhat:ceph_storage","extracted_events":[{"last_affected":"3.0"}]},{"source":"CPE_FIELD","cpes":["cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*"],"vendor_product":"redhat:enterprise_linux_desktop","extracted_events":[{"last_affected":"7.0"}]},{"source":"CPE_FIELD","cpes":["cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*"],"vendor_product":"redhat:enterprise_linux_server","extracted_events":[{"last_affected":"7.0"}]},{"source":"CPE_FIELD","cpes":["cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*"],"vendor_product":"redhat:enterprise_linux_workstation","extracted_events":[{"last_affected":"7.0"}]}]},"references":[{"type":"WEB","url":"http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00009.html"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/105994"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:0747"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:0911"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20190416-0004/"},{"type":"ADVISORY","url":"https://www.percona.com/blog/2018/11/20/how-cve-2018-19039-affects-percona-monitoring-and-management/"},{"type":"FIX","url":"https://community.grafana.com/t/grafana-5-3-3-and-4-6-5-security-update/11961"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/grafana/grafana","events":[{"introduced":"0"},{"fixed":"fdb5b1feb761299d96199bcf421d19e65528a986"},{"introduced":"af6e28366bf3413ee3af56c540513dd70f467c41"},{"fixed":"a8aa16673ed577b786eb2752e1ededc5cb309193"}],"database_specific":{"source":"CPE_FIELD","cpe":"cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"0"},{"fixed":"4.6.5"},{"introduced":"5.0.0"},{"fixed":"5.3.3"}]}}],"versions":["v5.3.2","v5.3.1","v5.3.0","v5.3.0-beta3","v5.3.0-beta2","v5.3.0-beta1","v4.6.3","v5.0.0","v4.6.2","v4.6.1","v4.6.0","v4.6.0-beta3","v4.6.0-beta2","v4.6.0-beta1","v4.5.0","v4.5.0-beta1","v4.4.0","v3.1.0-beta1","v3.0.2","v3.0.1","v3.0.0-beta7","v3.0.0-beta6","v2.6.0","v2.6.0-beta1","v2.5.0","v2.0.2","v2.0.1","v2.0.0-beta3","v2.0.0-beta1","v1.9.1","v1.9.0","v1.9.0-rc1","v1.7.0-rc1","v1.6.1","v1.6.0","v1.5.4","v1.5.3","v1.5.2","v1.5.1","v1.5.0","v1.4.0","v1.3.0","v1.2.0","v1.1.0","v1.0.4","v1.0.3","v1.0.2","v1.0.1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-19039.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}]}