Vulnerability Details CVE-2018-9090
CoreOS Tectonic 1.7.x and 1.8.x before 1.8.7-tectonic.2 deploys the Grafana web application using default credentials (admin/admin) for the administrator account located at grafana-credentials secret. This occurs because CoreOS does not randomize the administrative password to later be configured by Tectonic administrators. An attacker can insert an XSS payload into the dashboards.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.003
EPSS Ranking 50.9%
CVSS Severity
CVSS v3 Score 6.1
CVSS v2 Score 4.3
References
Products affected by CVE-2018-9090
-
cpe:2.3:a:redhat:tectonic:1.7.1-tectonic.1
-
cpe:2.3:a:redhat:tectonic:1.7.1-tectonic.1.0.0
-
cpe:2.3:a:redhat:tectonic:1.7.1-tectonic.2
-
cpe:2.3:a:redhat:tectonic:1.7.14-tectonic.1
-
cpe:2.3:a:redhat:tectonic:1.7.14-tectonic.2
-
cpe:2.3:a:redhat:tectonic:1.7.3-tectonic.1
-
cpe:2.3:a:redhat:tectonic:1.7.3-tectonic.2
-
cpe:2.3:a:redhat:tectonic:1.7.3-tectonic.3
-
cpe:2.3:a:redhat:tectonic:1.7.3-tectonic.4
-
cpe:2.3:a:redhat:tectonic:1.7.5-tectonic.1
-
cpe:2.3:a:redhat:tectonic:1.7.9-tectonic.1
-
cpe:2.3:a:redhat:tectonic:1.7.9-tectonic.2
-
cpe:2.3:a:redhat:tectonic:1.7.9-tectonic.3
-
cpe:2.3:a:redhat:tectonic:1.7.9-tectonic.4
-
cpe:2.3:a:redhat:tectonic:1.8.4-tectonic.1
-
cpe:2.3:a:redhat:tectonic:1.8.4-tectonic.2
-
cpe:2.3:a:redhat:tectonic:1.8.4-tectonic.3
-
cpe:2.3:a:redhat:tectonic:1.8.4-tectonic.4