CVE-2021-27358

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions Grafana versions 6.7.3 through 7.4.1

Description The snapshot feature in Grafana can allow an unauthenticated remote attacker to trigger a Denial of Service via a remote API call if a commonly used configuration is set. This issue is related to the github.com/grafana/grafana/pkg/middleware package.

Recommendations For versions 6.7.3 through 7.4.1, update to version 7.4.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the snapshot feature until a patch is available. Avoid using the snapshot feature in commonly used configurations until the issue is resolved.

Exploit

Fix

Missing Authentication

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-306CWE-400

Related Identifiers

ALSA-2021:4226

ALT-PU-2021-1708

ALT-PU-2022-1177

ALT-PU-2022-1249

BIT-GRAFANA-2021-27358

CESA-2021_4226

CVE-2021-27358

GHSA-H5RH-W6VM-9GHC

OESA-2021-1445

OPENSUSE-SU-2021:1148-1

OPENSUSE-SU-2021:2662-1

OPENSUSE-SU-2021_1148-1

OPENSUSE-SU-2021_2662-1

RHSA-2021:4226

RHSA-2021_4226

RLSA-2021:4226

SUSE-SU-2021:1962-1

SUSE-SU-2021:1963-1

SUSE-SU-2021:2554-1

SUSE-SU-2021:2660-1

Affected Products

Alt Linux

Almalinux

Centos

Grafana

Red Hat

Rocky Linux

Suse

CVE-2021-27358

Weakness Enumeration

Related Identifiers

Affected Products

References · 142