File Exfiltration vulnerability (CVE-2018-19039)
On the 5th of November at 1700 CEST we were contacted about a potential security issue that could allow any users with Editor or Admin permissions in Grafana to read any file that the Grafana process can read from the filesystem. Note, that in order to exploit this you would need to be logged in to the system as a legitimate user with Editor or Admin permissions.
Affected versions
Grafana releases 4.1 through 5.3.2 are affected by this vulnerability.
Solutions and mitigations
All installations between 4.1.0 and 5.3.2 that have users that should not have access to the filesystem where Grafana is running must be upgraded as soon as possible. If you can not upgrade, you should set all users to viewers and remove all dashboards that contain text panels.
All instances of Grafana Cloud have already been updated to 5.3.3. Grafana Enterprise customers have been proactively noticed.
We would like to thank Daniele Costa, NCC Group for reporting this issue.
Conclusion
If you run a Grafana between version 4.1.0 and 5.3.2 with users that should not have access to the filesystem where Grafana is running, please upgrade to Grafana 5.3.3 or 4.6.5 as soon as possible.