Main Vulnerability Database Vulnerabilities #VU57320

Improper access control in Grafana - CVE-2021-39226

Published: October 12, 2021 / Updated: September 3, 2022

Vulnerability identifier: #VU57320

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:A/U:Green

CVE-ID: CVE-2021-39226

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: The vulnerability is being exploited in the wild

Vendor: Grafana Labs

Affected software:
Grafana

Detailed vulnerability description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions to database snapshots. Remote unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths: /dashboard/snapshot/:key, or /api/snapshots/:key. If the snapshot "public_mode" configuration setting is set to true (vs default of false), unauthenticated users are able to delete the snapshot with the lowest database key by accessing the literal path: /api/snapshots-delete/:deleteKey.

Regardless of the snapshot "public_mode" setting, authenticated users are able to delete the snapshot with the lowest database key by accessing the literal paths: /api/snapshots/:key, or /api/snapshots-delete/:deleteKey. The combination of deletion and viewing enables a complete walk through all snapshot data while resulting in complete snapshot data loss.

How to mitigate CVE-2021-39226

Install updates from vendor's website.

Improper access control in Grafana - CVE-2021-39226

Detailed vulnerability description

How to mitigate CVE-2021-39226

Sources

Please verify you're human