Vulnerabilities
Misconfiguration
Runtime Security
Compliance
CVE Vulnerabilities

CVE-2021-39226

Improper Authentication

Published: Oct 05, 2021 | Modified: Nov 21, 2024
CVSS 3.x
7.3
HIGH
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CVSS 2.x
6.8 MEDIUM
AV:N/AC:M/Au:N/C:P/I:P/A:P
RedHat/V2
RedHat/V3
7.3 IMPORTANT
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Ubuntu
HIGH
Additional information
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2021-39226
CWEhttps://cwe.mitre.org/data/definitions/287.html

Grafana is an open source data visualization platform. In affected versions unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths: /dashboard/snapshot/:key, or /api/snapshots/:key. If the snapshot public_mode configuration setting is set to true (vs default of false), unauthenticated users are able to delete the snapshot with the lowest database key by accessing the literal path: /api/snapshots-delete/:deleteKey. Regardless of the snapshot public_mode setting, authenticated users are able to delete the snapshot with the lowest database key by accessing the literal paths: /api/snapshots/:key, or /api/snapshots-delete/:deleteKey. The combination of deletion and viewing enables a complete walk through all snapshot data while resulting in complete snapshot data loss. This issue has been resolved in versions 8.1.6 and 7.5.11. If for some reason you cannot upgrade you can use a reverse proxy or similar to block access to the literal paths: /api/snapshots/:key, /api/snapshots-delete/:deleteKey, /dashboard/snapshot/:key, and /api/snapshots/:key. They have no normal function and can be disabled without side effects.

Weakness

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Affected Software

Name Vendor Start Version End Version
Grafana Grafana * 7.5.11 (excluding)
Grafana Grafana 8.0.0 (including) 8.1.6 (excluding)
Grafana Ubuntu esm-apps/xenial *
Grafana Ubuntu trusty *
Grafana Ubuntu upstream *
Grafana Ubuntu xenial *
Red Hat Enterprise Linux 8 RedHat grafana-0:7.3.6-3.el8_4 *
Red Hat Enterprise Linux 8.1 Extended Update Support RedHat grafana-0:6.2.2-7.el8_1 *
Red Hat Enterprise Linux 8.2 Extended Update Support RedHat grafana-0:6.3.6-3.el8_2 *
Red Hat OpenShift Container Platform 3.11 RedHat openshift3/grafana:v3.11.784-1.g423963f *
Red Hat OpenShift Container Platform 4.10 RedHat openshift4/ose-grafana:v4.10.0-202202160023.p0.g48aec35.assembly.stream *
Red Hat OpenShift Container Platform 4.6 RedHat openshift4/ose-grafana:v4.6.0-202208310224.p0.gcf170c0.assembly.stream *
Red Hat OpenShift Container Platform 4.7 RedHat openshift4/ose-grafana:v4.7.0-202208310205.p0.g613acad.assembly.stream *
Red Hat OpenShift Container Platform 4.8 RedHat openshift4/ose-grafana:v4.8.0-202208311019.p0.gf98b47f.assembly.stream *
Red Hat OpenShift Container Platform 4.9 RedHat openshift4/ose-grafana:v4.9.0-202208311003.p0.g3b7bed6.assembly.stream *

Potential Mitigations

References

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2025 Aqua Security Software Ltd.   Privacy Policy | Terms of Use