On the 5th of October a notice for CVE-2021-39226 with a severity of high went out, impacting the Grafana deployments.
Unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths:
- /dashboard/snapshot/:key, or
- /api/snapshots/:key
If the snapshot “public_mode” configuration setting is set to true (vs default of false), unauthenticated users are able to delete the snapshot with the lowest database key by accessing the literal path:
- /api/snapshots-delete/:deleteKey
Regardless of the snapshot “public_mode” setting, authenticated users are able to delete the snapshot with the lowest database key by accessing the literal paths:
- /api/snapshots/:key, or
- /api/snapshots-delete/:deleteKey
The combination of deletion and viewing enables a complete walk through all snapshot data while resulting in complete snapshot data loss.
Grafana released version 7.5.11 and 8.1.6 on the 6th of October and we patched all our deployments the same day.
In most cases there was no impact since Grafana only accessible internally or with a VPN connection. For setups that run public they were vulnerable when the snapshot feature was used.