Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
6.8
CVSSv2

CVE-2021-39226

Published: 05/10/2021 Updated: 07/11/2023
CVSS v2 Base Score: 6.8 | Impact Score: 6.4 | Exploitability Score: 8.6
CVSS v3 Base Score: 7.3 | Impact Score: 3.4 | Exploitability Score: 3.9
VMScore: 606
Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P
Subscribe to Grafana

Vulnerability Summary

Grafana is an open source data visualization platform. In affected versions unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths: /dashboard/snapshot/:key, or /api/snapshots/:key. If the snapshot "public_mode" configuration setting is set to true (vs default of false), unauthenticated users are able to delete the snapshot with the lowest database key by accessing the literal path: /api/snapshots-delete/:deleteKey. Regardless of the snapshot "public_mode" setting, authenticated users are able to delete the snapshot with the lowest database key by accessing the literal paths: /api/snapshots/:key, or /api/snapshots-delete/:deleteKey. The combination of deletion and viewing enables a complete walk through all snapshot data while resulting in complete snapshot data loss. This issue has been resolved in versions 8.1.6 and 7.5.11. If for some reason you cannot upgrade you can use a reverse proxy or similar to block access to the literal paths: /api/snapshots/:key, /api/snapshots-delete/:deleteKey, /dashboard/snapshot/:key, and /api/snapshots/:key. They have no normal function and can be disabled without side effects.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

grafana grafana

fedoraproject fedora 34

fedoraproject fedora 35

Vendor Advisories

Red Hat: Important: OpenShift Container Platform 4.9.48 bug fix and security update
Synopsis Important: OpenShift Container Platform 4948 bug fix and security update Type/Severity Security Advisory: Important Topic Red Hat OpenShift Container Platform release 4948 is now available withupdates to packages and images that fix several bugs and add enhancementsThis release includes a security update for Red Hat OpenShift Co ...
Red Hat: Important: OpenShift Container Platform 4.6.61 bug fix and security update
Synopsis Important: OpenShift Container Platform 4661 bug fix and security update Type/Severity Security Advisory: Important Topic Red Hat OpenShift Container Platform release 4661 is now available withupdates to packages and images that fix several bugs and add enhancementsThis release includes a security update for Red Hat OpenShift Co ...
Red Hat: Important: OpenShift Container Platform 4.8.49 security update
Synopsis Important: OpenShift Container Platform 4849 security update Type/Severity Security Advisory: Important Topic Red Hat OpenShift Container Platform release 4849 is now available withupdates to packages and images that fix several bugs and add enhancementsRed Hat Product Security has rated this update as having a security impactof ...
Red Hat: Moderate: OpenShift Container Platform 4.7.59 bug fix and security update
Synopsis Moderate: OpenShift Container Platform 4759 bug fix and security update Type/Severity Security Advisory: Moderate Topic Red Hat OpenShift Container Platform release 4759 is now available withupdates to packages and images that fix several bugs and add enhancementsThis release includes a security update for Red Hat OpenShift Cont ...
Red Hat: Moderate: OpenShift Container Platform 4.10.3 security update
Synopsis Moderate: OpenShift Container Platform 4103 security update Type/Severity Security Advisory: Moderate Topic Red Hat OpenShift Container Platform release 4103 is now available withupdates to packages and images that fix several bugs and add enhancementsRed Hat Product Security has rated this update as having a security impact of ...
Red Hat: Moderate: OpenShift Container Platform 3.11.784 security update
Synopsis Moderate: OpenShift Container Platform 311784 security update Type/Severity Security Advisory: Moderate Topic Red Hat OpenShift Container Platform release 311784 is now available withupdates to packages and images that fix several bugs and add enhancementsThis release includes a security update for Red Hat OpenShift Container Pl ...
Red Hat: CVE-2021-39226
No description is available for this CVE ...
Arch Linux Issues:
A security issue has been found in Grafana before version 816 Unauthenticated and authenticated users are able to view the snapshot with the lowest database key If the snapshot “public_mode” configuration setting is set to true (vs default or false), unauthenticated users are able to delete the snapshot with the lowest database key Regard ...
Hitachi Security Advisories: Multiple Vulnerabilities in Hitachi Infrastructure Analytics Advisor, Hitachi Ops Center Analyzer, Hitachi Ops Center Analyzer viewpoint and Hitachi Ops Center Viewpoint
Hitachi Infrastructure Analytics Advisor and Hitachi Ops Center Analyzer contain the following vulnerability: CVE-2021-42550 Hitachi Ops Center Analyzer viewpoint and Hitachi Ops Center Viewpoint contain the following vulnerabilities: CVE-2021-23214, CVE-2021-23222, CVE-2021-39226, CVE-2021-42550, CVE-2021-43813 Affected products and vers ...

Mailing Lists

Full Disclosure: CVE-2021-39226 Grafana snapshot authentication bypass
<!--X-Body-Begin--> <!--X-User-Header--> oss-sec mailing list archives <!--X-User-Header-End--> <!--X-TopPNI--> By Date By Thread </form> <!--X-TopPNI-End--> <!--X-MsgBody--> <!--X-Subject-Header-Begin--> CVE-2021-39226 Grafana snapshot authentication bypass <!--X-Subject-Header-End--> <!--X-Head-of-Message--> From: Richard Har ...

References

CWE-287https://github.com/grafana/grafana/commit/2d456a6375855364d098ede379438bf7f0667269https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-1-6/https://github.com/grafana/grafana/security/advisories/GHSA-69j6-29vr-p3j9https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-5-11/http://www.openwall.com/lists/oss-security/2021/10/05/4https://security.netapp.com/advisory/ntap-20211029-0008/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E6ANHRDBXQT6TURLP2THM26ZPDINFBEG/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DCKBFUSY6V4VU5AQUYWKISREZX5NLQJT/https://nvd.nist.govhttps://access.redhat.com/errata/RHSA-2022:6317https://access.redhat.com/security/cve/cve-2021-39226
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-1183hard-codedCVE-2024-28254CVE-2023-43790buffer overflowbypassCVE-2024-32633CVE-2024-1874CVE-2024-23558
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook