CVE-2018-9090
Last modified
CVE-2018-9090 is a medium-severity vulnerability rated 6.1/10 on the CVSS scale. CoreOS Tectonic 1.7.x and 1.8.x before 1.8.7-tectonic.2 deploys the Grafana web application using default credentials (admin/admin) for the administrator account located at grafana-credentials secret. This occurs because CoreOS does not randomize the administrative password to later be configured by Tectonic administrators. EPSS estimates a 0.79% chance of exploitation in the next 30 days.
Description
CoreOS Tectonic 1.7.x and 1.8.x before 1.8.7-tectonic.2 deploys the Grafana web application using default credentials (admin/admin) for the administrator account located at grafana-credentials secret. This occurs because CoreOS does not randomize the administrative password to later be configured by Tectonic administrators. An attacker can insert an XSS payload into the dashboards.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Redhat | Tectonic | >= 1.7.1-tectonic.1, < 1.8.7-tectonic.2 |
References
- https://coreos.com/tectonic/releases/Release Notes, Vendor Advisory
- https://coreos.com/tectonic/releases/#1.8.7-tectonic.2Release Notes, Vendor Advisory
- https://coreos.com/tectonic/releases/Release Notes, Vendor Advisory
- https://coreos.com/tectonic/releases/#1.8.7-tectonic.2Release Notes, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2018-9090?
How severe is CVE-2018-9090?
How do I fix CVE-2018-9090?
Are you affected by CVE-2018-9090?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST