QID 730238
Date Published: 2021-10-21
QID 730238: Grafana Enterprise Snapshot Authentication Bypass Vulnerability
Grafana is an open-source, general purpose dashboard and graph composer, which runs as a web application.
Affected By Below Vulnerabilies:
CVE-2021-39226: Unauthenticated and authenticated users are able to view the snapshot with the lowest database key (the lowest number in the database index) by accessing the literal paths.
Affected Versions:
Grafana Version 2.0.1 to 7.5.10
Grafana Version 8.0.0 to 8.1.5
QID Detection Logic:
This QID checks for vulnerable version of Grafana Enterprise.
Successful exploitation could allows an unauthenticated remote attacker to trigger a Denial of Service.
Solution
Customers are advised to download Grafana Enterprise 7.5.11 or 8.1.6 or later to fix this vulnerability.
Workaround:
If for some reason you cannot upgrade, you can use a reverse proxy or similar to block access to the literal paths: /api/snapshots/:key /api/snapshots-delete/:deleteKey /dashboard/snapshot/:key /api/snapshots/:key They have no normal function and can be disabled without side effects.
Workaround:
If for some reason you cannot upgrade, you can use a reverse proxy or similar to block access to the literal paths: /api/snapshots/:key /api/snapshots-delete/:deleteKey /dashboard/snapshot/:key /api/snapshots/:key They have no normal function and can be disabled without side effects.
Vendor References
- Grafana Release Note 8.1.6 -
grafana.com/blog/2021/10/05/grafana-7.5.11-and-8.1.6-released-with-critical-security-fix/
CVEs related to QID 730238
Software Advisories
| Advisory ID | Software | Component | Link |
|---|---|---|---|
| Grafana Release Note 8.1.6 |
grafana.com/blog/2021/10/05/grafana-7.5.11-and-8.1.6-released-with-critical-security-fix/ |