HomePentest-Tools.com Logo

Grafana Snapshot - Authentication Bypass CVE-2021-39226

Severity
CVSSv3 Score
7.3
Vulnerability description

Grafana server is vulnerable to CVE-2021-39226, an Authentication Bypass vulnerability in the /api/snapshots/:key endpoint. This allows attackers to view the snapshot with the lowest database key by accessing the literal path /api/snapshots/:key. If the snapshot public_mode configuration setting is set to true, unauthenticated users are able to delete the snapshot with the lowest database key by accessing the path: /api/snapshots-delete/:deleteKey.

Risk description

No risk description to display.

Recommendation

This issue has been resolved in versions 8.1.6 and 7.5.11. If you cannot upgrade you can block access to the literal paths: /api/snapshots/:key, /api/snapshots-delete/:deleteKey, /dashboard/snapshot/:key, and /api/snapshots/:key. They have no normal function and can be disabled without side effects.

Codename
Not available
Detectable with
Network Scanner
Scan engine
Nuclei
Exploitable with Sniper
No
CVE Published
Oct 5, 2021
Detection added at
Software Type
Not available
Vendor
Not available
Product
Not available