CVE-2019-19499
Description
Grafana <= 6.4.3 has an Arbitrary File Read vulnerability, which could be exploited by an authenticated attacker that has privileges to modify the data source configurations.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An authenticated Grafana user with data source edit privileges can read arbitrary files on the server via a malicious MySQL connection string.
Vulnerability
CVE-2019-19499 is an arbitrary file read vulnerability in Grafana versions ≤ 6.4.3. The root cause lies in how Grafana's MySQL data source connector handles the connection string. An authenticated attacker who has permissions to modify data source configurations can craft a malicious MySQL Data Source Name (DSN) that includes file-reading syntax (e.g., LOAD DATA LOCAL INFILE) to read arbitrary files from the server's filesystem [1].
Exploitation
To exploit this, an attacker must have an authenticated Grafana session and possess the ability to add or edit a MySQL data source. No other special privileges or network position is required beyond those credentials. By changing the DSN to include a reference to a local file, the attacker forces the server to read and return the contents of that file, effectively bypassing normal access controls [2].
Impact
Successful exploitation allows an attacker to read any file that the Grafana process has read access to, including sensitive configuration files like /etc/grafana/grafana.ini, database passwords, TLS/SSL keys, or other secrets stored on the filesystem. This could lead to complete compromise of the Grafana instance and potentially lateral movement within the infrastructure [1].
Mitigation
The vulnerability was fixed in Grafana version 6.4.4, released on November 6, 2019 [2]. Users are strongly advised to upgrade to 6.4.4 or later. For those unable to upgrade immediately, restricting data source edit permissions to trusted users is a recommended workaround, though it does not fully address the underlying issue.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/grafana/grafanaGo | < 6.4.4 | 6.4.4 |
Affected products
18- Grafana/Grafanadescription
- ghsa-coords17 versionspkg:golang/github.com/grafana/grafanapkg:rpm/almalinux/grafanapkg:rpm/almalinux/grafana-azure-monitorpkg:rpm/almalinux/grafana-cloudwatchpkg:rpm/almalinux/grafana-elasticsearchpkg:rpm/almalinux/grafana-graphitepkg:rpm/almalinux/grafana-influxdbpkg:rpm/almalinux/grafana-lokipkg:rpm/almalinux/grafana-mssqlpkg:rpm/almalinux/grafana-mysqlpkg:rpm/almalinux/grafana-opentsdbpkg:rpm/almalinux/grafana-postgrespkg:rpm/almalinux/grafana-prometheuspkg:rpm/almalinux/grafana-stackdriverpkg:rpm/suse/grafana&distro=SUSE%20Enterprise%20Storage%206pkg:rpm/suse/system-user-grafana&distro=SUSE%20Enterprise%20Storage%206pkg:rpm/suse/system-user-grafana&distro=SUSE%20Manager%20Client%20Tools%2015
< 6.4.4+ 16 more
- (no CPE)range: < 6.4.4
- (no CPE)range: < 6.7.4-3.el8
- (no CPE)range: < 6.7.4-3.el8
- (no CPE)range: < 6.7.4-3.el8
- (no CPE)range: < 6.7.4-3.el8
- (no CPE)range: < 6.7.4-3.el8
- (no CPE)range: < 6.7.4-3.el8
- (no CPE)range: < 6.7.4-3.el8
- (no CPE)range: < 6.7.4-3.el8
- (no CPE)range: < 6.7.4-3.el8
- (no CPE)range: < 6.7.4-3.el8
- (no CPE)range: < 6.7.4-3.el8
- (no CPE)range: < 6.7.4-3.el8
- (no CPE)range: < 6.7.4-3.el8
- (no CPE)range: < 7.3.1-3.6.1
- (no CPE)range: < 1.0.0-3.9.1
- (no CPE)range: < 1.0.0-3.9.1
Patches
119dbd27c5caamysql: fix encoding in connection string (#20192)
1 file changed · +10 −5
pkg/tsdb/mysql/mysql.go+10 −5 modified@@ -4,12 +4,12 @@ import ( "database/sql" "errors" "fmt" + "net/url" "reflect" "strconv" "strings" "github.com/VividCortex/mysqlerr" - "github.com/grafana/grafana/pkg/setting" "github.com/go-sql-driver/mysql" @@ -24,19 +24,24 @@ func init() { tsdb.RegisterTsdbQueryEndpoint("mysql", newMysqlQueryEndpoint) } +func characterEscape(s string, escapeChar string) string { + return strings.Replace(s, escapeChar, url.QueryEscape(escapeChar), -1) +} + func newMysqlQueryEndpoint(datasource *models.DataSource) (tsdb.TsdbQueryEndpoint, error) { logger := log.New("tsdb.mysql") protocol := "tcp" if strings.HasPrefix(datasource.Url, "/") { protocol = "unix" } + cnnstr := fmt.Sprintf("%s:%s@%s(%s)/%s?collation=utf8mb4_unicode_ci&parseTime=true&loc=UTC&allowNativePasswords=true", - datasource.User, - datasource.DecryptedPassword(), + characterEscape(datasource.User, ":"), + characterEscape(datasource.DecryptedPassword(), "@"), protocol, - datasource.Url, - datasource.Database, + characterEscape(datasource.Url, ")"), + characterEscape(datasource.Database, "?"), ) tlsConfig, err := datasource.GetTLSConfig()
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-4pwp-cx67-5cpxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-19499ghsaADVISORY
- github.com/grafana/grafana/blob/master/CHANGELOG.mdghsaWEB
- github.com/grafana/grafana/commit/19dbd27c5caa1a160bd5854b65a4e1fe2a8a4f00ghsaWEB
- github.com/grafana/grafana/pull/20192ghsaWEB
- security.netapp.com/advisory/ntap-20200918-0003ghsaWEB
- security.netapp.com/advisory/ntap-20200918-0003/mitrex_refsource_CONFIRM
- swarm.ptsecurity.com/grafana-6-4-3-arbitrary-file-read/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.