CVE-2021-39226

Name of the Vulnerable Software and Affected Versions Grafana versions prior to 7.5.11 Grafana versions prior to 8.1.6

Description The issue in Grafana allows unauthenticated and authenticated users to view the snapshot with the lowest database key by accessing the literal paths: "/dashboard/snapshot/:key" or "/api/snapshots/:key". If the snapshot "public mode" configuration setting is set to true, unauthenticated users can delete the snapshot with the lowest database key by accessing the literal path: "/api/snapshots-delete/:deleteKey". Authenticated users can delete the snapshot with the lowest database key by accessing the literal paths: "/api/snapshots/:key" or "/api/snapshots-delete/:deleteKey". This enables a complete walk through all snapshot data while resulting in complete snapshot data loss.

Recommendations For versions prior to 7.5.11, update to version 7.5.11 or later. For versions prior to 8.1.6, update to version 8.1.6 or later. As a temporary workaround, consider using a reverse proxy or similar to block access to the literal paths: "/api/snapshots/:key", "/api/snapshots-delete/:deleteKey", "/dashboard/snapshot/:key", and "/api/snapshots/:key". They have no normal function and can be disabled without side effects.