CVE-2021-39226 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	Critical
Remote	Yes
Type	Authentication bypass
Description	A security issue has been found in Grafana before version 8.1.6. Unauthenticated and authenticated users are able to view the snapshot with the lowest database key. If the snapshot “public_mode” configuration setting is set to true (vs. default or false), unauthenticated users are able to delete the snapshot with the lowest database key. Regardless of the snapshot “public_mode” setting, authenticated users are able to delete the snapshot with the lowest database key. The combination of deletion and viewing enables a complete walk through all snapshot data while resulting in complete snapshot data loss.

Group	Package	Affected	Fixed	Severity	Status	Ticket
AVG-2445	grafana	8.1.5-1	8.1.6-1	Critical	Fixed

References
https://github.com/grafana/grafana/security/advisories/GHSA-69j6-29vr-p3j9 https://github.com/grafana/grafana/commit/2d456a6375855364d098ede379438bf7f0667269

Notes
Workaround ========== The issue can be mitigated by using a reverse proxy or similar to block access to the literal paths: /api/snapshots/:key, /api/snapshots-delete/:deleteKey, /dashboard/snapshot/:key, and /api/snapshots/:key. They have no normal function and can be disabled without side effects.

Notes

Workaround
==========

The issue can be mitigated by using a reverse proxy or similar to block access to the literal paths: /api/snapshots/:key, /api/snapshots-delete/:deleteKey, /dashboard/snapshot/:key, and /api/snapshots/:key. They have no normal function and can be disabled without side effects.