CVE-2021-39226 - log back

CVE-2021-39226 edited at 05 Oct 2021 19:36:01
Severity
- High
+ Critical
References
- https://grafana.com/blog/2021/10/05/grafana-7.5.11-and-8.1.6-released-with-critical-security-fix/#cve-2021-39226-snapshot-authentication-bypass
+ https://github.com/grafana/grafana/security/advisories/GHSA-69j6-29vr-p3j9
https://github.com/grafana/grafana/commit/2d456a6375855364d098ede379438bf7f0667269
Notes
+ Workaround
+ ==========
+
+ The issue can be mitigated by using a reverse proxy or similar to block access to the literal paths: /api/snapshots/:key, /api/snapshots-delete/:deleteKey, /dashboard/snapshot/:key, and /api/snapshots/:key. They have no normal function and can be disabled without side effects.
CVE-2021-39226 edited at 05 Oct 2021 18:33:45
Type
- Information disclosure
+ Authentication bypass
CVE-2021-39226 edited at 05 Oct 2021 18:32:33
Severity
- Unknown
+ High
Remote
- Unknown
+ Remote
Type
- Unknown
+ Information disclosure
Description
+ A security issue has been found in Grafana before version 8.1.6. Unauthenticated and authenticated users are able to view the snapshot with the lowest database key. If the snapshot “public_mode” configuration setting is set to true (vs. default or false), unauthenticated users are able to delete the snapshot with the lowest database key. Regardless of the snapshot “public_mode” setting, authenticated users are able to delete the snapshot with the lowest database key. The combination of deletion and viewing enables a complete walk through all snapshot data while resulting in complete snapshot data loss.
References
+ https://grafana.com/blog/2021/10/05/grafana-7.5.11-and-8.1.6-released-with-critical-security-fix/#cve-2021-39226-snapshot-authentication-bypass
+ https://github.com/grafana/grafana/commit/2d456a6375855364d098ede379438bf7f0667269
Notes
CVE-2021-39226 created at 05 Oct 2021 18:29:11