Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2021-39226

Grafana is an open source data visualization platform. In affected versions unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths: /dashboard/snapshot/:key, or /api/snapshots/:key. If the snapshot "public_mode" configuration setting is set to true (vs default of false), unauthenticated users are able to delete the snapshot with the lowest database key by accessing the literal path: /api/snapshots-delete/:deleteKey. Regardless of the snapshot "public_mode" setting, authenticated users are able to delete the snapshot with the lowest database key by accessing the literal paths: /api/snapshots/:key, or /api/snapshots-delete/:deleteKey. The combination of deletion and viewing enables a complete walk through all snapshot data while resulting in complete snapshot data loss. This issue has been resolved in versions 8.1.6 and 7.5.11. If for some reason you cannot upgrade you can use a reverse proxy or similar to block access to the literal paths: /api/snapshots/:key, /api/snapshots-delete/:deleteKey, /dashboard/snapshot/:key, and /api/snapshots/:key. They have no normal function and can be disabled without side effects.

Published

2021-10-05T18:15:07.947

Last Modified

2025-02-18T14:53:42.247

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 9.8 (CRITICAL)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:P/I:P/A:P

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: PARTIAL

Exploitability Score

8.6

Impact Score

6.4

Weaknesses

Type: Secondary
CWE-287
Type: Primary
CWE-862

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	grafana	grafana	< 7.5.11	Yes
Application	grafana	grafana	< 8.1.6	Yes
Operating System	fedoraproject	fedora	34	Yes
Operating System	fedoraproject	fedora	35	Yes

References

http://www.openwall.com/lists/oss-security/2021/10/05/4 Mailing List, Third Party Advisory ([email protected])
https://github.com/grafana/grafana/commit/2d456a6375855364d098ede379438bf7f0667269 Patch ([email protected])
https://github.com/grafana/grafana/security/advisories/GHSA-69j6-29vr-p3j9 Exploit, Mitigation, Vendor Advisory ([email protected])
https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-5-11/ Release Notes ([email protected])
https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-1-6/ Release Notes ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DCKBFUSY6V4VU5AQUYWKISREZX5NLQJT/ Broken Link ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E6ANHRDBXQT6TURLP2THM26ZPDINFBEG/ Broken Link ([email protected])
https://security.netapp.com/advisory/ntap-20211029-0008/ Third Party Advisory ([email protected])
http://www.openwall.com/lists/oss-security/2021/10/05/4 Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/grafana/grafana/commit/2d456a6375855364d098ede379438bf7f0667269 Patch (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/grafana/grafana/security/advisories/GHSA-69j6-29vr-p3j9 Exploit, Mitigation, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-5-11/ Release Notes (af854a3a-2127-422b-91ae-364da2661108)
https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-1-6/ Release Notes (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DCKBFUSY6V4VU5AQUYWKISREZX5NLQJT/ Broken Link (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E6ANHRDBXQT6TURLP2THM26ZPDINFBEG/ Broken Link (af854a3a-2127-422b-91ae-364da2661108)
https://security.netapp.com/advisory/ntap-20211029-0008/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)