1. Home
  2. Security Advisories
  3. FreeBSD
  4. FREEBSD:757EE63B-269A-11EC-A616-6C3BE5272ACD

[FREEBSD:757EE63B-269A-11EC-A616-6C3BE5272ACD] Grafana -- Snapshot authentication bypass

Severity High
Affected Packages 1
CVEs 1
Info Packages References Vulnerabilities

Grafana Labs reports:

  Unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths:

    /dashboard/snapshot/:key, or
    /api/snapshots/:key

  If the snapshot "public_mode" configuration setting is set to true (vs default of false), unauthenticated users are able to delete the snapshot with the lowest database key by accessing the literal path:

    /api/snapshots-delete/:deleteKey

  Regardless of the snapshot "public_mode" setting, authenticated users are able to delete the snapshot with the lowest database key by accessing the literal paths:

    /api/snapshots/:key, or
    /api/snapshots-delete/:deleteKey

  The combination of deletion and viewing enables a complete walk through all snapshot data while resulting in complete snapshot data loss.
Package Affected Version
pkg:freebsd/grafana8 < 8.1.6
ID
FREEBSD:757EE63B-269A-11EC-A616-6C3BE5272ACD
Severity
high
Severity from
CVE-2021-39226
URL
http://vuxml.freebsd.org/freebsd/757ee63b-269a-11ec-a616-6c3be5272acd.html
Published
2021-09-15T00:00:00
(3 years ago)
Modified
2021-10-06T00:00:00
(2 years ago)
Rights
FreeBSD VuXML Security Team
Other Advisories
Type Package URL Namespace Name / Product Version Distribution / Platform Arch Patch / Fix
Affected pkg:freebsd/grafana8 grafana8 < 8.1.6
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date