A security issue has been found in Grafana before version 8.1.6. Unauthenticated and authenticated users are able to view the snapshot with the lowest database key. If the snapshot “public_mode” configuration setting is set to true (vs. default or false), unauthenticated users are able to delete the snapshot with the lowest database key. Regardless of the snapshot “public_mode” setting, authenticated users are able to delete the snapshot with the lowest database key. The combination of deletion and viewing enables a complete walk through all snapshot data while resulting in complete snapshot data loss.
Workaround ========== The issue can be mitigated by using a reverse proxy or similar to block access to the literal paths: /api/snapshots/:key, /api/snapshots-delete/:deleteKey, /dashboard/snapshot/:key, and /api/snapshots/:key. They have no normal function and can be disabled without side effects.