Tran Viet Tuan

**Name of the Vulnerable Software and Affected Versions** Grafana versions prior to 7.5.11 Grafana versions prior to 8.1.6 **Description** The issue in Grafana allows unauthenticated and authenticated users to view the snapshot with the lowest database key by accessing the literal paths: "/dashboard/snapshot/:key" or "/api/snapshots/:key". If the snapshot "public mode" configuration setting is set to true, unauthenticated users can delete the snapshot with the lowest database key by accessing the literal path: "/api/snapshots-delete/:deleteKey". Authenticated users can delete the snapshot with the lowest database key by accessing the literal paths: "/api/snapshots/:key" or "/api/snapshots-delete/:deleteKey". This enables a complete walk through all snapshot data while resulting in complete snapshot data loss. **Recommendations** For versions prior to 7.5.11, update to version 7.5.11 or later. For versions prior to 8.1.6, update to version 8.1.6 or later. As a temporary workaround, consider using a reverse proxy or similar to block access to the literal paths: "/api/snapshots/:key", "/api/snapshots-delete/:deleteKey", "/dashboard/snapshot/:key", and "/api/snapshots/:key". They have no normal function and can be disabled without side effects.