Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-152086

ansible-pcp ships hardcoded default Grafana admin password

Linking RHIVOS CVEs to...Migration: Automation ...Sync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Blocker Blocker
    • None
    • CentOS Stream 10
    • ansible-pcp
    • None
    • None
    • None
    • rhel-pt-pcp
    • None
    • None
    • None
    • None
    • None
    • noarch
    • None

      What were you trying to do that didn't work?

      Reviewing ansible-pcp package security configuration. The Grafana role ships a hardcoded default admin password (__grafana_password: admin) in role defaults rather than requiring explicit configuration. Deployments using this role without overriding the variable result in a Grafana instance with known default credentials accessible over the network.

      What is the impact of this issue to you?

      Any system deployed using the ansible-pcp Grafana role with default variables will have a Grafana instance accessible with known credentials (admin:admin). Since Grafana binds to a network port, this creates a remotely exploitable authentication bypass. Attackers with network access can log into Grafana, view monitoring data, modify dashboards, and potentially pivot further depending on the environment.

      Please provide the package NVR for which the bug is seen:

      ansible-pcp-2.4.2-1.el10.noarch

      How reproducible is this bug?:

      Always

      Steps to reproduce

      1. rpm2cpio ansible-pcp-2.4.2-1.el10.noarch.rpm | cpio -i --to-stdout "*grafana*main.yml" 2>/dev/null | grep -i password
      2. Observe __grafana_password: admin
      3. Deploy the grafana role without overriding the variable

      Expected results

      Role should require explicit password configuration or generate a random password

      Actual results

      Grafana deployed with known default credentials (admin:admin)

      Leave everything else as default/None.

              pcp-maint pcp-maint
              rh-ee-clusk Christopher Lusk
              pcp-maint pcp-maint
              Jan Kurik Jan Kurik
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated: