Grafana <= 6.4.3 has an Arbitrary File Read vulnerability, which could be exploited by an authenticated attacker that has privileges to modify the data source configurations. Reference: https://swarm.ptsecurity.com/grafana-6-4-3-arbitrary-file-read/
Upstream commit: https://github.com/grafana/grafana/commit/e32ee480f56657789beea010f12baf01b44b4cfe
External References: https://swarm.ptsecurity.com/grafana-6-4-3-arbitrary-file-read/
Statement: A vulnerable version of Grafana is shipped in OpenShift 3.11 and OpenShift ServiceMesh, however Prometheus is used as a data source and modification to MySQL requires full control of the grafana component. Access is restricted to authenticated users only by OpenShift OAuth. As OpenShift and OpenShift ServiceMesh still packages the vulnerable code, the components are affected but with impact Low. Red Hat Ceph Storage 3 and 4 ships an older version of the affected code, which is still possible to exploit. However, Ceph 3 and 4 do not use mysql as a datasource, therefore, the impact is low. Red Hat Gluster Storage 3 ships vulnerable version of grafana, however Graphite is the only supported data source and hence this issue has been rated as having a security impact of Low.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-19499
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4682 https://access.redhat.com/errata/RHSA-2020:4682