← volver
CVE-2021-39226

Snapshot authentication bypass in grafana

CVSS 9.8 CRITICALEPSS 99.9%● KEVCWE-287
En resumen

Los snapshots de Grafana pueden ser visualizados y eliminados por cualquier persona sin autenticación adecuada. Un atacante puede acceder a datos de snapshots y destruirlos adivinando claves simples de la base de datos, causando pérdida de datos y divulgación no autorizada de información.

Detalle técnico

Fallo de autenticación en los endpoints de snapshots de Grafana permite que usuarios no autenticados enumeren y visualicen snapshots mediante /dashboard/snapshot/:key o /api/snapshots/:key, y eliminen snapshots mediante /api/snapshots-delete/:deleteKey cuando public_mode está habilitado. Los usuarios autenticados pueden eliminar snapshots independientemente de la configuración public_mode. La vulnerabilidad resulta de controles de acceso insuficientes en endpoints que se basan en claves de base de datos predecibles en lugar de validación adecuada de autenticación.

Resumen generado y traducido por IA a partir de la descripción oficial.
Grafana is an open source data visualization platform. In affected versions unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths: /dashboard/snapshot/:key, or /api/snapshots/:key. If the snapshot "public_mode" configuration setting is set to true (vs default of false), unauthenticated users are able to delete the snapshot with the lowest database key by accessing the literal path: /api/snapshots-delete/:deleteKey. Regardless of the snapshot "public_mode" setting, authenticated users are able to delete the snapshot with the lowest database key by accessing the literal paths: /api/snapshots/:key, or /api/snapshots-delete/:deleteKey. The combination of deletion and viewing enables a complete walk through all snapshot data while resulting in complete snapshot data loss. This issue has been resolved in versions 8.1.6 and 7.5.11. If for some reason you cannot upgrade you can use a reverse proxy or similar to block access to the literal paths: /api/snapshots/:key, /api/snapshots-delete/:deleteKey, /dashboard/snapshot/:key, and /api/snapshots/:key. They have no normal function and can be disabled without side effects.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Productos afectados
grafana · grafana

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →
Referencias
https://github.com/grafana/grafana/commit/2d456a6375855364d098ede379438bf7f0667269https://github.com/grafana/grafana/security/advisories/GHSA-69j6-29vr-p3j9https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-5-11/https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-1-6/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DCKBFUSY6V4VU5AQUYWKISREZX5NLQJT/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E6ANHRDBXQT6TURLP2THM26ZPDINFBEG/https://security.netapp.com/advisory/ntap-20211029-0008/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-39226http://www.openwall.com/lists/oss-security/2021/10/05/4