On the 22nd of April we noticed that the patch for (CVE-2018-19039) was never merged from our private mirror (where do all high severity security fixes and builds) to Grafanas main codebase. Which means that all releases after 5.3.3 do not contain the patch and are still vulnerable to CVE-2018-19039. This has not to our knowledge been detected by anyone else.
This security issue could allow any users with Editor or Admin permissions in Grafana to read any file that the Grafana process can read from the filesystem. Note, that in order to exploit this you would need to be logged in to the system as a legitimate user with Editor or Admin permissions.
Affected versions
Grafana releases 5.4.0 through 6.1.4 are affected by this vulnerability.
Solutions and mitigations
All installations between 5.4.0 and 6.1.4 that have users who should not have access to the filesystem where Grafana is running must be upgraded as soon as possible. If you can not upgrade, you should set all users to viewers and remove all dashboards that contain text panels.
Grafana Cloud instances are not affected by this vulnerability. Grafana Enterprise customers have been provided with updated binaries ahead of this disclosure.
Conclusion
If you run a Grafana between version 5.4.0 and 6.1.4 with users that should not have access to the filesystem where Grafana is running, please upgrade to Grafana 6.1.5 or 5.4.4 as soon as possible.