Ignore CVE-2020-12459 that doesn't affect bundled Grafana (!4335) · Merge requests · GitLab.org / omnibus-gitlab

Balasankar 'Balu' C requested to merge ignore-CVE-2020-12459 into master Jun 16, 2020

CVE description:

In certain Red Hat packages for Grafana 6.x through 6.3.6, the configuration files /etc/grafana/grafana.ini and /etc/grafana/ldap.toml (which contain a secret_key and a bind_password) are world readable.

That doesn't apply to us, since it explicitly states RedHat packages. Still, I checked the situation, and a regular user/world can't read the config file.

Ignore CVE-2020-12459 that doesn't affect bundled Grafana

Merge request reports